As a user of GMX since day 1, now with most of my LP activity in V2, I think GMX should simultaneously engage several of the best auditors on V2 (maybe like Trail of Bits, OZ, ChainSecurity, etc.).
Everything ends well for the V1 hack. However, a total loss of V2 funds would be another story. The contracts are pretty complex, but it’s an opportunity to define what the golden standard for a DeFi project is, hopefully enabling GMX to grow considerably, as it deserves.
V2 has already undergone a string of audits by top security partners. However, the GMX contributors are definitely considering how to further focus on safety and security, in light of this week’s unexpected scare.
Yes, of course V2 has been audited already. But last week attack proved that some audits are not enough…
I was thinking that multiple additional audits by the world best would be welcome.
I think additional audits as well as other security solutions and blockchain monitoring services will be considered.
Hello GMX DAO members,
I’d like to propose Olympix (olympix.ai) as a security partner to help GMX further focus on safety and security in light of the recent hack.
Olympix exists because, although they are best practice, audits alone are not foolproof. 90% of exploited smart contracts had been audited at least once.
Olympix is a suite of proactive smart contract security tools that enables core developers to find and resolve vulnerabilities while they code - prior to audit and prior to deployment. The tools integrate directly into the CI/CD pipeline and automate testing methodologies such as static analysis, unit testing, mutation testing, fuzzing/formal verification, and leverage custom AI models powered by the Olympix engine (proprietary architecure which enables Olympix tooling to perform with more accuracy and speed than other developer tooling or LLM-based AI auditors on market).
Olympix acts as a critical first layer in a robust security approach. We see up to 80% overlap in findings with the typical external audit - which means that your team can have cleared away up to 80% of audit level findings BEFORE the audit, freeing up the external auditor to focus on sophisticated, novel vulnerabilities. The tools also continually find vulnerabilities that auditors miss - examples include:
Security-conscious teams such as the ones above as well as Circle, Agora, Syndicate, Flow, Berachain, and more trust Olympix to help developers catch vulnerabilities early in the development lifecycle.
We’d like the opportunity to share more info on the Olympix tooling on a quick call so the GMX DAO can evaluate Olympix as the internal layer in its newly fortified security approach.
Please send a note to Sarah or Channi (sarah@olympix.ai or @sarahjanehicks on tg; channi@olympix.ai or @channigreenwall on tg) and we’ll walk through how the tooling would have prevented the GMX hack and how it could integrate for future development and audit cycles.
interesting! if your tool work, the business model should be find vulnerabilities and claim bounties: Max bounty is already 5m for GMX
Forwarded to the devs.
Absolutely - today we just don’t have dedicated resources running the tools & collecting bounties because our eng resources are dedicated to working on the tooling & supporting prospects and customers.
The idea with the tooling is also that it is used proactively, prior to audit. With up to 80% overlap in audit findings, that means the GMX team clearing away up to 80% of what a typical audit would find before the audit begins, freeing up the auditor’s time to focus elsewhere - which my mean finding a critical issue that would have otherwise been missed.
The tools also cover certain areas not typically within scope of an audit - i.e. test suites - also relevant to tackle before an audit. For example, our mutation testing tool would have prevented the $27M Penpie exploit by highlighting that a unit test for a certain branch didn’t break when there was a missing modifier, leading to a bad commit which led to a hack (and was missed by multiple auditors).
Happy, of course, to run the tools for GMX and show how they work and the impact.
Fantastic, thank you. Looking forward to hearing their feedback.
If any of the GMX team is at Token happy to connect here in person - anyone can shoot me a telegram message @sarahjanehicks