Let's avoid bot spoofing GMX referral code


Currently, I can’t create same refferal on both Arbitrum and AVAX, because a spoofing bot is alive.
Thats should be fix asap imho

Imagine youtubers spending time promoting their refferal, and a spoofing bot is getting their community …

See below a current issue:
I created my referral link on GMX Arbitrum.

Then, I tried to create the same code on Avalanche, but I got an error message saying that the code was already taken.

It was strange, so I tried again, but I encountered the same issue.

Upon checking the contract on Avalanche, I noticed that a bot was spoofing referral codes.

This means that if I am a crypto YouTuber and I want to promote my referral link on all my social platforms (such as Twitter, YouTube, Instagram, TikTok, Medium, Telegram, etc.), someone who did not do any promotion can directly benefit from my efforts by using a bot to spoof my referral link.

This has a direct financial impact, as I will only receive half of the referral fee on a link that I spent a lot of time promoting, while the other half will go to the bot spoofer.

Since this has a direct impact on the user, I decided to submit a bug on the GMX bug bounty program, but bounty was rejected :frowning:


Based on my understanding, there is an easy fix for this issue. When registering a refferal code on Arbitrum or Avalanche, you should add a check to ensure that the code has not already been created on the other chain. Then only allow the address that created the same code on the first blockchain to create it on the second blockchain.

Here are the recommended steps:
Step 1: Address 0X…1 creates referral code “GMX_low_fee” on Arbitrum.
Step 2: Someone wants to register on Avalanche using the same referral code “GMX_low_fee”. Step3: Add a check:

  • If “GMX_low_fee” does not exist on Arbitrum and “GMX_low_fee” does not exist on Avalanche, allow the creation.
  • Else if “GMX_low_fee” does not exist on the current chain, but it exists on the other chain and the address creator is the same as the current address, allow the creation.
  • Else, another user has already registered this address on this chain (or another chain).


The spoofing bot on Avalanche seems to be running on this address:
snowtrace address: 0xea651097e54256d0f5334bbd1e869ea35e2e8af8

Here’s an example of one user who created a referral code on Arbitrum: Arbitrum Transaction Hash (Txhash) Details | Arbiscan (Feb-27–2023 05:46:34 PM +UTC)
Function: registerCode(bytes32 _code)
MethodID: 0x36def2c8 [0]: 6f63696e6f6765636b0000000000000000000000000000000000000000000000

Seven seconds later, the bot registers the same referral code on Avalanche:
Snowtrace tx 0x6fdea4a0dd9e081e481f07aa9e19f55ef15d9cc40741c711ec3c943066511405 (Feb-27–2023 05:46:41 PM +UTC)
Function: registerCode(bytes32 _code)
MethodID: 0x36def2c8 [0]: 6f63696e6f6765636b0000000000000000000000000000000000000000000000

More details here:


I will support this. Bots shld be increasing productivity and NOT rent-seeking.

do note that i don’t see how this is a bug though.
bots are just finding ways to be faster than humans, takes effort and resources to counter bots.

Devs are aware of the issue, and looking at a solution that best addresses this.

1 Like