GMX, a decentralized exchange, awarded Collider Research a $1 million bug bounty in 2022. This payout was in recognition of their discovery of a critical bug in GMX’s smart contracts that directly affected how the protocol tracks outstanding debt.
The Bug Affecting GMX And GLP
GMX has not provided more information on how the bug was patched and when. However, the DEX operator said the bug negatively impacted GMX v1 liquidity providers (LPs) as the code led to inaccuracies in quotes related to “the fair value of tokens.” Specifically, the bug affected the Global Liquidity Pool (GLP), causing it to deviate from its fair value.
Since GMX supports up to 50X leverage, a system tracks debt borrowed by traders and how it is repaid. It is smart contract-driven, and the trader enters into debt for every leveraged position. If prices move against them, they are liquidated, and the margin securing the leveraged position is transferred to the protocol.
Any disruption to this mechanism can severely affect GMX, impacting revenue and disincentivizing liquidity providers from engaging.
In September 2022, a flaw affecting GLP and impacting the DEX’s “minimal fee” and “zero price impact” features saw an unidentified exploiter make way with over $570,000 from the AVAX/USD marketplace.
By deploying on Arbitrum, a layer-2, and Avalanche, a high throughput and low-fee blockchain, the protocol supports low-fee swapping powered by GLP, a liquidity pool holding all assets traded on GMX. From the GLP, liquidity providers who could have been significantly impacted can earn fees from swap fees, spreads from leverage trading, and whenever there is asset rebalancing.
Bounty Program Can Reward Up To $5 Million
Further details show that GMX’s bug bounty program focuses on ensuring their smart contracts and application function as designed without weakness, considering the trustless nature of swaps. The goal is to prevent theft of user funds through various means, including unauthorized transfers, price manipulation of GLP, freezing, and other threat vectors.
Whenever there is a flaw, and the white hacker identifies it, the GMX bug bounty program will distribute rewards depending on the flaw’s severity. However, any submission must accompany a report demonstrating how the code error impacts the protocol before being reviewed and the reward distributed.
Even so, in GMX, all critical smart contract vulnerabilities are subject to a 10% cap on the potential damage it would have caused. The maximum bounty paid to developers who pick out critical code flaws is $5 million.
Feature image from Canva, chart from TradingView