Audits
GX Chain Security Assessment
| Detail | Value |
|---|---|
| Engine | GX Chain v0.1.0 (Rust, single binary) |
| Assessment Date | March 25, 2026 |
| Total Tests | 73 (SS-GX-001 to SS-GX-073) |
| Rounds | 4 testing rounds |
| Result | All 73 tests passed |
Test Priority Breakdown
| Priority | Count | Status |
|---|---|---|
| Critical | 14 | All Passed |
| High | 14 | All Passed |
| Medium | 27 | All Passed |
| Standard | 18 | All Passed |
Scorecard
| Area | Rating | Notes |
|---|---|---|
| Access Controls | Strong | EIP-712 with low-s normalization, gap-tolerant nonces, per-account rate limiting |
| Architecture / Design | Sufficient | Clean module separation, BTreeMap orderbook, crossbeam SegQueue |
| Arithmetic Safety | Strong | overflow-checks = true, no floating point, integer-only matching |
| Scalability | Sufficient | Millions of operations per second sustained, single binary vertical scaling |
| Upgradeability | Moderate | Requires process restart, no live upgrade mechanism |
| Documentation | Sufficient | API follows industry standard /v4/ format |
| Testing and Verification | Strong | Comprehensive test suite, benchmarks, strict linting |
| Operational Readiness | Moderate | Docker multi-stage build works, 3-validator testnet script exists |
Modules Assessed
| Module | Description | Risk Level |
|---|---|---|
orderbook/ | BTreeMap orderbook, price-time priority matching | Critical |
api/auth.rs | EIP-712 signature verification, domain separator | Critical |
state/ledger.rs | Block application, state transitions, state hash | Critical |
api/rest.rs | REST API handlers (place_order, cancel_order) | High |
node/validator.rs | WebSocket handlers, block production loop | High |
state/accounts.rs | Account management, nonces, rate limiting | High |
state/positions.rs | Position tracking, PnL calculation | High |
risk/ | Margin, liquidation, circuit breakers, funding | High |
consensus/ | Block production, RocksDB persistence, P2P | Medium |
config.rs | Node configuration, market configs | Low |
indexer/ | PostgreSQL indexer | Low |
Assessment Methodology
- Manual code review — Line-by-line inspection of all critical paths
- Protocol-level analysis — Semantic analysis of design decisions
- Threat modeling — Per-module threat models identifying attack surfaces
- Adversarial testing — Simulated attack scenarios specific to perpetual futures
- State machine verification — Formal checking of consensus guarantees
- Performance testing — Hot-path allocation auditing, struct alignment
Scope
In scope:
- All GX Core Rust modules (orderbook, state, risk, consensus, api, indexer, node, config)
- Matching engine correctness, EIP-712 verification, margin/liquidation logic
- REST and WebSocket API security
- Block production and RocksDB persistence
- P2P network protocol, Docker deployment
Out of scope:
- Frontend (React/TypeScript, Privy wallet, wagmi)
- External SDK and API interactions
- External dependencies (RocksDB, PostgreSQL, tokio, axum internals)
- GX BFT integration (not yet implemented at assessment time)
- Deployment infrastructure (nginx, TLS, DNS)
- Stress/load testing
Disclaimers
- GX Chain is v0.1.0 experimental software
- This assessment does not guarantee the absence of undiscovered vulnerabilities
- The assessment was conducted on the codebase as of 2026-03-24
- Incremental reviews are recommended after any code updates