GMX-logo

GMX

GMX is a decentralized spot and perpetual exchange that supports low swap fees and zero price impact trades.

Arbitrum
Avalanche
Defi
AMM
DEX
JavaScript
Solidity
Typescript
Maximum Bounty
$5,000,000
Live Since
20 October 2021
Last Updated
18 November 2024
  • Triaged by Immunefi

  • PoC required

Rewards

GMX provides rewards in ETH or USDC on Avalanche, Arbitrium, denominated in USD.

Rewards by Threat Level

Smart Contract
Critical
Up to: $5,000,000
Primacy of Rules
High
Flat: $25,000
Primacy of Rules
Medium
Flat: $10,000
Primacy of Rules
Critical Reward Calculation

Mainnet assets:

Reward amount is 10% of the funds directly affected up to a maximum of:

$5,000,000
Websites and Applications
Critical
Flat: $50,000
Primacy of Rules
High
Flat: $25,000
Primacy of Rules
Medium
Flat: $10,000
Primacy of Rules

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

All web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.

Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of USD 50 000.

The following vulnerabilities are not eligible for a reward:

  • Exploits that require access to the Timelock admin keys or Fast Price Feed admin keys
  • Cases involving risks of losses to the GLP pool in case the assets in the pool decrease in price
  • Cases involving price manipulation on exchanges
  • Vesting schedules might be slightly faster for multiple deposits
  • Vault.includeAmmPrice and Vault.useSwapPricing are not reset to default values for certain cases, these variables will not be used
  • Vault.liquidatePosition does not pay the transaction sender for certain cases, this is intentional
  • Exploits that are not economically practical to execute
  • Exploits due to delays or sizes of price feed updates
  • In general, we assume that the fees earned from swaps and leverage trading over a period of a few months will be larger than any potential losses from price updates, we will be analyzing past data to adjust the fees and parameters for this. Additionally, any changes relating to the minimum price movement for profit as well as the cooldown duration for redeeming GLP will only be done after this analysis. This analysis will also consider cases where opening both a long and short position within the minimum price movement may result in a higher probability of profit. Reports relating to these should be excluded.
  • Calling Vault.setTokenConfig, Vault.clearTokenConfig, Vault.setTokenConfig on the same token would lead to double counting of the token amounts in GlpManager, Vault.clearTokenConfig will not be used
  • GlpManager.getAum may return a slightly higher value until a liquidation occurs
  • GlpManager.getAum may return a slightly lower value when there are shorts in profit but the price movement is below the 1.5% threshold
  • It is possible for a user to burn and then mint GLP to frontrun price movements, the fees are assumed to be sufficient to prevent this from being profitable
  • There will be some deviation of Vault.globalShortAveragePrices from the true average price if users increase their short position while the mark price is within 1.5% of their position’s average price, it is evaluated to not be economical for users to do this intentionally whether in combination with GLP minting or otherwise, GlpManager.setAumAdjustment can be used to correct this drift if required
  • Vault.CollectSwapFees (_ token, feeAmount, tokenToUsdMin ( _ token, feeAmount))
  • It is expected that liquidators, order executors and other keepers will validate that transactions succeed before sending them to avoid gas griefing attacks
  • Exploits due to issues with hosting providers e.g. Netlify, Cloudflare Pages, IPFS and which cannot be fixed by changing any configuration on our side will be given an Informational classification, these exploits should be reported using the bug bounty program of the hosting providers instead

Payouts are handled by the GMX team directly and are denominated in USD. However, payouts are done in ETH or USDC

Program Overview

GMX is a decentralized spot and perpetual exchange that supports low swap fees and zero price impact trades.

Trading is supported by a unique multi-asset pool that earns liquidity providers fees from market making, swap fees, leverage trading (spreads, funding fees & liquidations) and asset rebalancing.

For more information about GMX, please visit https://gmx.io/.

This bug bounty program is focused on their smart contracts and app and is focused on preventing:

  • Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
  • Permanent freezing of funds
  • Insolvency
  • Loss of user funds by freezing, theft, or manipulation of the price of GLP
  • Unable to call smart contract
  • Thefts and freezing of principal of any amount
  • Thefts and freezing of unclaimed yield of any amount
  • Theft of governance funds

KYC not required

No KYC information is required for payout processing.

Proof of Concept

Proof of concept is always required for all severities.

Prohibited Activities

Default prohibited activities
  • Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
  • Any testing with pricing oracles or third-party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks that are executed against project assets
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty
  • Any other actions prohibited by the Immunefi Rules

Feasibility Limitations

The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.

Therefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.

Severity
Min. - Max.
Critical
$5M
High
$25k
Medium
$10k
Total paid reports

15 reports

Med. Resolution Time
8 hours
Total Assets in Scope
250