The Lexer Markets security review story

On a beautiful day in September. I got a request from the Hyacinth team saying that Lexer Markets needed an audit for their V2.

At that point, I started researching the protocol to comprehend what they were building. It turned out they were forking GMX V1, integrating with synthetic assets, and changing oracles to Pyth.

It was a challenging codebase nevertheless. A +13000 nsloc codebase forking a legacy protocol.

I was sure I wanted to do it, given that I understood from previous reviews the architecture of GMX’s codebase.

There were several concerns around my mind though:
- Is this one of the biggest private audits that the space has seen?
- Will I be well off by myself? It is a ton of responsibility
- How am I going to sleep after I finish the review
- Will I handle correctly that this protocol might get 8–9 figs of TVL after my review having a huge codebase?

So, I took action, called my friend 0xKato, and assembled a plan. Given he was also familiar with GMX’s codebase, we thought it was great to team up.

Lexer was super happy to have us on board.

The review was supposed to last 5 weeks. So there was no time to waste.

September 19th, we get started.

From there, it was heads down and work. 0xKato made a great team.

The review, in our eyes, was a massive success. We found multiple issues from the legacy codebase of GMX V1.

We did submit 3 of them to Immunefi, the leading bug bounty platform, as we thought they were the most likely to get rewarded, given the big OOS policy GMX has.

Check out the write-ups with their corresponding PoCs:

The first bug was causing that any system relying on the external validateLiquidation function to determine if user positions were unhealthy to receive a stale answer and appear to be healthy: Bounty1.The second bug was a first depositor-like bug, that was never discovered before and was active in any fork of GMX that still has not launched. It did take profit of an incorrect first state to game the internal accounting: Bounty2The third issue was deemed OOS for the bounty program but caused users to pay more execution fees than the optimal ones:
Bounty3

Overall, the audit went great and we are very satisfied that we helped Lexer strengthen the security of their codebase.

At the end of the security review, there were 49 issues discovered by 0xKato and me (0xWeiss), which Lexer tried their best to fix.

Read the audit report HERE: