Skip to main content

Security

This page covers general safety practices, audit reports, and the bug bounty program.

General safety

Exercise caution when interacting with any smart contract or blockchain application. Although the GMX team mitigates risk through rigorous testing, independent audits, and an active bug bounty program, smart contract code can contain vulnerabilities that remain undetected even after review.

Keep the following points in mind:

  • Phishing attacks and scams are prevalent in both traditional and blockchain contexts.
  • Blockchain-specific phishing techniques include tricking users into revealing private keys or seed phrases, or into signing malicious transactions.
  • Consider maintaining two separate wallets — one to store the majority of your holdings (a "cold" wallet with minimal dApp exposure), and a separate wallet for interacting with new or unfamiliar websites.
  • Before signing any transaction, verify the target contract address and review the operation being signed. Most wallets display the operation name and contract details to assist with this.
  • Only interact with the official GMX interface and verified contract addresses listed in the contracts page.

Audits

Audit reports for GMX V2 contracts are available in the gmx-synthetics repository. The following firms have conducted audits:

  • Guardian — Primary auditor for GMX. Conducted 8 engagements between October 2022 and September 2023, totalling 88 person-weeks and resulting in the remediation or acknowledgement of 365 findings across the full severity range. Guardian continues to audit all smart contract updates, with additional engagements through 2024, 2025, and 2026 covering GLV, buybacks, pro tiers, gasless calls, cross-chain V2.2, fee automations, and subsequent protocol changes.
  • ABDK — Audited the GMX Synthetics contracts at a specific commit.
  • Certora — Audited GMX Synthetics (November 2023).
  • Dedaub — Audited GMX Synthetics.
  • Sherlock — Audited GMX Synthetics updates.

Bug bounty

GMX maintains an active bug bounty program covering all repositories under github.com/gmx-io. Full program details, scope, and reward tiers are available on the GMX Immunefi page.