Security
Overview
Security is the foundation of GX Exchange. The platform implements defense-in-depth across every layer — from the GXCore matching engine and GX BFT consensus protocol to smart contracts and user-facing interfaces. GX Chain has undergone a comprehensive 73-point security assessment with all tests passed.
Security Architecture
Access Controls — Strong
- EIP-712 typed data signature verification with low-s normalization
- Two-layer authentication (API + consensus)
- Gap-tolerant nonce validation prevents replay attacks
- Per-account rate limiting
- Circuit breaker at 10% price move
Arithmetic Safety — Strong
overflow-checks = trueenforced in release builds- No floating point in matching, settlement, or risk calculations
- All arithmetic uses checked/saturating operations
#![deny(unsafe_code)]enforced across the codebase- Integer-only representation (Subticks u64, Quantums u64)
Testing and Verification — Strong
- 90 tests covering unit (49), API (6), consensus (6), end-to-end (3), state (8), risk (9), orderbook (9)
- Criterion benchmarks for performance validation
#![deny(clippy::unwrap_used)]enforced
Consensus — BFT Tolerant
- Byzantine Fault Tolerant consensus (GX BFT with consensus pipelining)
- Tolerates up to 1/3 of validators being faulty or malicious
- With 21 validators: survives 6 byzantine nodes
- With 51 validators: survives 16 byzantine nodes
Risk Categories Tested
| Risk Category | Description | Status |
|---|---|---|
| Collateral Theft | Forged orders, PnL manipulation, insurance fund exploits | Passed |
| Orderbook Manipulation | Self-trade, price manipulation, order type exploits | Passed |
| Position Freezing | Incorrect state transitions, system pauses | Passed |
| Liquidation Exploitation | Unfair targeting, insurance fund drainage | Passed |
| Denial of Service | WS/REST flooding, P2P injection, queue saturation | Passed |
| Signature Forgery | Forged EIP-712 signatures, replay attacks | Passed |
| Consensus Divergence | Non-deterministic execution, state hash issues | Passed |
| Data Loss | RocksDB corruption, non-atomic persistence | Passed |
Related Pages
- Audits — Detailed audit results and scorecard
- Bug Bounty Program — Report vulnerabilities and earn rewards