GMX
About
GMX is a decentralized spot and perpetual exchange operating on Arbitrum, Avalanche, Botanix, and MegaETH. It enables leveraged trading up to 100x and token swaps with low price impact, powered entirely by GM and GLV liquidity pools — no order book or external market makers. Traders execute against pooled liquidity using Chainlink Data Stream oracles for fair pricing, while liquidity providers earn the majority of fees generated across trades, swaps, borrows, and liquidations.
Where Does Yield Come From?
Yield on GMX comes from two main routes.
1. Providing liquidity — You deposit into a GM pool (a market pool) or a GLV pool (a special vault that manages liquidity). As a liquidity provider (LP), you earn 63% of all fees from leverage trading, liquidations, borrowing, and swaps on Arbitrum and Avalanche (50% on Botanix). Fees flow directly into the pool and raise the value of the GM or GLV token over time. There is no separate claim step — just holding the token is how you accrue earnings.
Borrowing fees are charged only to the side (longs or shorts) that has the larger open position size. The fee uses a "kink" model: it stays low until the pool is about 75% utilized, then rises sharply above that level.
Funding fees (adaptive fees) constantly move between traders based on whether longs or shorts are more popular. The larger side pays the smaller side, updated every second.
If you close a position that incurred negative price impact beyond a market's cap, you may be eligible for a price impact rebate, claimable after a five-day wait.
2. Staking the GMX token — 27% of protocol fees are used to buy back GMX tokens on the open market. These bought-back tokens are held in the Treasury and distributed to stakers based on time-weighted staking power (accrued continuously per second). A loyalty rule resets your accumulated power if your staked balance ever drops below 80% of your historical peak.
The remaining fee split covers Chainlink oracle costs (1.2%), the treasury, and keeper execution fees.
EsGMX is a non-transferable reward token from past incentives. You can stake it alongside GMX for extra staking power, or vest it into regular GMX over 365 days.
Important: Each GM pool is risk-isolated. The capital you provide to one market is never exposed to trader profits or losses in another market.
Audits
| Audit / Date | Findings | Verdict |
|---|---|---|
ABDK— |
| The full ABDK audit report with severity counts was not retrievable from this URL; only a brief remediation note was accessible, which is insufficient for a comprehensive security assessment of GMX. |
ABDK Consulting20-04-2021 |
| The audit identified 2 critical and 3 major vulnerabilities that were described as easy to fix, alongside numerous minor improvements, with all findings opened at report time; the protocol should have remediated these issues before mainnet deployment to ensure safety. |
Guardian (Guardian Audits)10-11-2023 - 27-11-2023 |
| All 17 findings remain unresolved (Pending), meaning the identified high-severity risks—including GLP mispricing leading to potential lending-protocol exploits and non-liquidatable insolvent positions—were unaddressed at the time of reporting, indicating significant residual security exposure for the GMX V1 system. |
Quantstamp15-08-2022 - 07-09-2022 |
| The audit reveals significant centralization risk and operational complexity in GMX, with the sole medium finding (rug-pull via privileged roles) and 34 unresolved issues across low/informational bands indicating that users should interact conservatively and remain cognizant of admin power and configuration risks. |
| This file is not the Quantstamp audit report itself but a brief internal response clarifying a single medium-risk timelock finding; no severity counts or complete audit data can be extracted, so the document is insufficient for a full security assessment. | |
ABDK— |
| The single Critical finding (PnL accounting direction error) represents a genuine solvency risk if uncorrected, but it is a straightforward fix. The 27 Major findings, while individually resolvable, collectively indicate that the codebase required significant hardening around access controls, arithmetic safety, and event emission before production deployment. |
Certora13-11-2023 |
| The audit identified two high-severity and three medium-severity issues; the highest-impact bug (H-01) was fixed by the GMX team, while the remaining findings were acknowledged—several as known design limitations. Combined with formal verification of core solvency and access-control invariants, the report indicates a reasonable security posture for the protocol's scope. |
Dedaub20-11-2022 |
| The audit reveals a critical reentrancy vulnerability and a high-severity conditional-execution attack, both of which could directly lead to fund loss if unresolved, alongside meaningful medium-severity design weaknesses. These issues warrant thorough remediation before mainnet deployment. |
Guardian Audits03-10-2022 - 24-10-2022 |
| The audit uncovered 9 critical vulnerabilities that would have rendered core exchange functionality inoperable or caused complete loss of user funds, all of which were resolved before deployment; however, acknowledged risks around keeper centralization, oracle manipulation, and various design limitations remain as ongoing operational considerations for protocol safety. |
Guardian Audits08-12-2022 - 08-01-2023 |
| All 18 critical and 7 high-severity vulnerabilities were resolved before final delivery, substantially mitigating the most dangerous attack paths, though 4 medium-severity items (including acknowledged centralization risk) and many low-severity optimizations remain unaddressed at the client's discretion. |
Guardian31-01-2023 - 15-03-2023 |
| All 16 critical and 9 high-severity findings were resolved, addressing the most material risks such as pool accounting errors, gas-manipulation attack vectors, and risk-free trade opportunities; the residual acknowledged issues (e.g., reference exchange manipulation, position profit counting as collateral) are design-level risks that the GMX team accepted, and the protocol's safety posture is substantially improved after remediation. |
Guardian18-04-2023 - 15-05-2023 |
| The audit uncovered critical and high-severity vulnerabilities that could lead to bad debt accumulation, market bricking, and risk-free manipulation of the GMX Synthetics protocol; the GMX team subsequently acknowledged or implemented fixes for the findings via on-chain commits, but the severity of the identified issues underscores the need for thorough remediation and continued security diligence. |
Guardian23-05-2023 - 02-06-2023 |
| Guardian's audit identified one high and nine medium severity vulnerabilities in GMX Synthetics, all of which were resolved by the team before delivery — no unresolved risks remain on the critical or high front, making the codebase safer for deployment with residual attention paid to the refactored DecreasePositionCollateralUtils logic. |
Guardian11-07-2023 |
| The critical finding was resolved during the audit, and while several high and medium severity design-level issues remain acknowledged, they represent manageable risks requiring careful configuration and monitoring rather than exploitable systemic vulnerabilities. |
Guardian19-07-2023 - 28-07-2023 |
| The audit confirmed that the remediation addressed all prior critical and high-risk concerns, with only two medium and three low issues remaining, all acknowledged for future resolution — indicating the codebase was in a sound security posture at the time of the engagement. |
Guardian21-08-2023 - 01-09-2023 |
| The audit found no critical or high severity vulnerabilities in GMX's oracle update code, and all medium and low findings were either resolved or acknowledged, indicating a sound security posture for the changes reviewed. |
Guardian26-09-2023 |
| The audit found no critical or high-severity vulnerabilities; only three low-severity documentation and code-quality issues were identified, all still pending resolution, indicating a generally sound codebase with only minor deviations from best practices. |
Guardian09-10-2023 - 23-10-2023 |
| The audit found 10 issues (2 high, 6 medium, 2 low), all resolved except one high-severity logical error that was acknowledged with a code comment; the migration contracts were deemed sufficiently hardened for the intended migration flow after remediation. |
Guardian30-10-2023 - 05-11-2023 |
| The audit found no critical or high severity vulnerabilities, with one medium-severity logical error and five low-severity issues that were either resolved or acknowledged, indicating a secure contract baseline for the subaccount feature. |
Guardian05-12-2023 - 12-12-2023 |
| The audit identified no critical vulnerabilities, with the single High-severity issue (bnGMX burn bypass) and the most impactful Medium (infinite voting power) both acknowledged by the GMX team, while the remaining findings were resolved — indicating a reasonable security posture for the governance updates subject to the acknowledged risks being addressed prior to or shortly after deployment. |
Guardian12-01-2024 - 16-01-2024 |
| The audit found no critical, high, or medium severity vulnerabilities in GMX's Config contract updates, with only two low-severity optimizations noted as pending; the changes present minimal security risk from a technical vulnerability standpoint. |
Guardian14-06-2024 |
| All 3 critical and the vast majority of high-severity issues were resolved, significantly reducing attack surface; however, 1 high and 6 medium findings were acknowledged as design-level risks, and the migration-inconsistency concern (H-09) warrants continued operator vigilance during the upgrade window. |
Guardian03-06-2024 - 06-06-2024 |
| The audit found 2 critical, 1 high, 7 medium and 8 low severity findings; all critical and high issues were resolved before delivery, and the acknowledged medium risks (e.g. sequencer outage, block gas limit edge cases) present residual but managed operational concerns. |
Guardian10-06-2024 - 12-06-2024 |
| The single critical vulnerability was resolved by the GMX team, and no other issues were found, indicating a clean security posture for the audited codebase at the time of review. |
Guardian03-09-2024 |
| The audit uncovered one critical pricing arbitrage and two high-severity issues, all of which were resolved before the final report, and the 12 medium and 31 low findings were either fixed or formally acknowledged, indicating the GLV codebase is safe for deployment with residual design risks in illiquid market handling and virtual inventory management. |
Guardian19-08-2024 - 26-08-2024 |
| The audit identified five low-severity issues, all of which were resolved by the GMX team, with no critical or high-risk vulnerabilities found, indicating the ConfigSyncer contract was in good security posture at the time of review. |
Guardian07-10-2024 - 14-10-2024 |
| The 4 High/Critical issues were promptly remediated, and following their resolution the buyback mechanism is assessed to uphold its intended functionality. The residual Medium and Low items are acknowledged design choices or non-critical improvements that do not pose immediate risk to protocol safety. |
Guardian Audits18-11-2024 |
| The audit identified one high-severity exploit path (risk-free trades via validFromTime) which was resolved, and all other findings were either resolved or acknowledged with no critical issues outstanding, indicating a well-managed security posture for the pro-tiers update. |
Guardian19-03-2025 - 21-03-2025 |
| The audit found no critical or high-severity issues; the single Medium finding (incorrect gas estimation) was resolved, and the remaining Low findings were either resolved or acknowledged, indicating a solid security posture for the Gelato Sponsored Call integration with only residual trust-assumption and operational risks clearly documented. |
Guardian31-03-2025 - 04-04-2025 |
| The audit identified no critical or high severity vulnerabilities, with one acknowledged medium-severity issue and eleven low-severity findings, over half of which were resolved during the engagement, indicating a solid security posture for the Gelato Sponsored Call Integration. |
Guardian23-02-2025 - 17-03-2025 |
| The audit revealed systemic security weaknesses in GMX's Crosschain V2.2 architecture, particularly in the new multichain message handling, fee deduction, and vault accounting logic, with most critical and high issues resolved. Guardian's Low Confidence ranking (2/5) and recommendation for a full follow-up audit at a finalized commit mean that substantial residual risk remains and deployment should not proceed without additional review. |
Guardian26-07-2025 |
| All 2 Critical and 5 High severity vulnerabilities were resolved by the GMX team, removing the most significant threats; however, several Medium and Low issues remain acknowledged, and the Moderate Confidence ranking indicates residual risks around integration compatibility and impact pool edge cases that warrant continued monitoring. |
Guardian19-05-2025 - 26-05-2025 |
| All Critical and High vulnerabilities were resolved by the GMX team before publication, and the remaining acknowledged Medium and Low issues represent accepted design trade-offs rather than imminent threats, but the Moderate Confidence ranking and the novelty of the pending-impact/lending price-impact mechanism suggest residual risk that warrants a focused re-audit after any further code changes. |
Guardian09-06-2025 - 16-06-2025 |
| The audit identified no critical vulnerabilities, with all 3 high-severity issues either resolved or partially resolved by the GMX team, and Guardian assigned a Moderate Confidence (3/5) ranking, recommending a targeted follow-up depending on code changes. |
Guardian26-07-2025 |
| Guardian found no critical vulnerabilities and the single High-severity issue was resolved, with three of four Medium issues also fixed; the protocol received a High Confidence ranking, indicating it is suitable for deployment after remediation, though the acknowledged Medium (price impact gaming) and several Low items represent residual design risks to monitor. |
Guardian26-07-2025 |
| All critical and high-severity issues are either resolved or acknowledged, and the protocol received a High Confidence ranking, indicating sound design with only low-to-medium residual risks centered on lent amount buildup under edge conditions that require admin monitoring. |
Guardian21-07-2025 - 26-07-2025 |
| The audit identified one High and eight Low severity issues, all of which were either resolved or acknowledged, with no Critical or Medium findings, supporting a Guardian Confidence Ranking of 5 (Very High Confidence) and indicating the GMX Crosschain V2.2 contracts are mature and secure for deployment. |
Guardian27-08-2025 - 18-09-2025 |
| The 2 High and 12 Medium severity findings were largely remediated, though several acknowledged medium-severity gaming/arbitrage vectors remain design-level risks that require careful off-chain keeper logic; Guardian assigned the project a Moderate Confidence ranking (3/5) and advised a targeted follow-up audit given the code changes. |
Guardian14-08-2025 - 18-09-2025 |
| The Guardian audit of GMX's OFT found no critical or high-severity vulnerabilities, gave a Very High Confidence ranking (5/5), and all six medium-severity issues were resolved, indicating the codebase is secure for deployment. |
Guardian29-10-2025 |
| The audit found no critical or high-severity vulnerabilities, and Guardian considers the codebase suitable for deployment; the single medium-severity finding was acknowledged by the GMX team and the remaining low/info issues were either resolved or documented as accepted risks. |
| The audit identified a range of medium-severity logic, pricing, and oracle issues in the GMX Synthetics update, several of which were addressed by subsequent commits, though residual design risks around virtual swap impacts and oracle timing remain. |
Legal
Status and notes
GMX is a decentralized permissionless perpetual exchange protocol governed by GMX DAO, with GMX Labs serving as the operational development entity (referenced in governance proposals on gov.gmx.io). The protocol does not publicly disclose a formal legal entity, company registration, foundation, or incorporation jurisdiction on its official website (gmx.io), documentation site (docs.gmx.io), or governance forum. The website footer links to 'Terms and conditions' and 'Referral terms' but the actual legal text content was not retrievable via headless browser due to the single-page application's hash-routing. No imprint, privacy policy, or corporate address is published on any GMX-operated domain.