GMX, A Can-Be-Evil “AMM”
Author: 0xAlpha
TL; DR:
- GMX depends on a centralized mechanism, “keeper”, which is solely run by the team.
- The “keeper” determines all the trading prices and thus can screw or benefit any parties (traders and LPs) as it wishes.
- With the absolute power of the “keeper”, it is easy for GMX to be evil, even easier than any centralized exchanges, including those mean-to-be-evil ones.
The devil in the details: GMX’s keeper
The recent manipulation attack on GMX brought our attention to GMX’s keeper mechanism. However, the vulnerability to external manipulation is not the real problem. While external manipulation is a harnessable issue, the real problem for the keeper is that there is no way to avoid internal manipulation (or even detect it).
Trading on GMX is a 2-step procedure:
- You place the order. In this step, in addition to the regular transaction fees, you pay an extra amount of ETH/AVAX (called “Execution Fee”) for the keeper to execute your trade.
- The “keeper” executes your order with a so-called “oracle price”, which is solely determined by the keeper.
Here is the devil in the details: this keeper is not of any on-chain or transparent mechanism. Instead, it’s a procedure signed by a GMX-owned address and running on GMX’s own centralized server. And the keeper’s core role is not just to execute the orders, but also to decide the trading prices. Within the very weak constraint, the keeper can just execute your trade with whatever price it chooses. And even this weak constraint (the deviation from the ChainLink price bigger than 2.5% will trigger a “bid-ask-spread”) would only make the price worse for the traders.
Simply speaking, the price of every trade is decided by the keeper, AFTER the trader places the order.
How to be evil with this?
Simple and easy!
Since the trading price of every single trade is totally up to the keeper, the person running the keeper can do whatever they want, e.g. feeding prices in favor of, or against the interest of, traders at its will. It’s very convenient to steal money from every trade by feeding bad prices for the trade (higher prices for long trades or lower prices for short ones)
And this can be done in a very secret way: the keeper only needs to make the price slightly worse (e.g. 0.1% higher or lower) than the fair value so that it’s very hard to notice. Then a significant amount of value (0.1% of the trading volume) would be stolen from the trading.
You might think such stealing is in LP’s favor. It is true in this particular case. But with such absolute power, it is just as easy to steal from the LPs. The keeper just needs to feed its affiliate account with prices better than fair (lower price for long trades or higher price for short trades) to transfer benefits into this account. This is very easy to understand: if the external manipulator in the attack can benefit their account by manipulating the price source, it is only more straightforward for the keeper to benefit a specific account by manipulating the price directly. The only difference is that the former comes at the cost of moving the prices on the reference exchange (i.e. Binance), whereas the latter has 0 costs. And again, this can be done in a very hidden way by keeping the intentional deviation small enough to avoid any attention while still profitable.
This trading mechanism is so untransparent that it is even easier to be evil than any orderbook-based centralized exchanges (including those mean-to-be-evil ones). For the latter, you have a reasonably clear expectation for your trading price in advance by looking at the quotes on the orderbook. If the quotes are not fair, you can choose not to trade. In contrast, on GMX, the trades are entirely in the keeper’s hands.
OK, but they haven’t been evil yet, have they?
Technically, the answer is we don’t know, as there is no way to verify this from outside.
However, if you ask this question, you probably miss the point. Switching from “Don’t Be Evil” to “Can’t Be Evil” is one of the crypto world’s fundamental values and significant progress. A system that works depending on the power owner’s good faith should not belong to this world.
However a Can-Be-Evil project claims they won’t be evil, no trust should be given. That’s not how web3 works!
About Deri Protocol
Deri, your option, your future!
Deri is the DeFi way to trade derivatives: to hedge, to speculate, to arbitrage, all on chain. With Deri Protocol, trades are executed under AMM paradigm and positions are tokenized as NFTs, highly composable with other DeFi projects. Having provided an on-chain mechanism to exchange risk exposures precisely and capital-efficiently, Deri Protocol has minted one of the most important blocks of the DeFi infrastructure.
