GMX v2 (GMX Synthetics)

DeploymentsArbitrum · —

Risk profile at a glance

0 red · 1 yellow · 11 green

Categories & evidence

184 factors · 13 categories

Code & audits Green 10 25 of 25

RD-F-001 yellow Audit scope mismatch ABDK (most recent standalone comprehensive audit) was tied to commit 298c6d7f1ef089a1437dc7099db1e4c647ed1b7e (added 2023-11-06). Current main-branch head is a5865d1 (2026-04-20), ~29 months later, with substantial post-audit additions: GLV vaults, multichain/LayerZero liquidity, relay/gasless routing, v2.2 callback redesign, v2.3 cross-margin. Guardian's ongoing retainer (10+ post-launch engagements) explicitly covers these features, but no single publicly-accessible report maps to current deployed bytecode by commit SHA. Gap is real but partially mitigated by Guardian retainer. RD-F-002 yellow Audit recency Most recent standalone commit-mapped audit is ABDK (2023-11-06), 548 days before assessment date (exceeds 365-day green threshold). Guardian ongoing retainer has active engagements through 2026 covering post-launch features, but exact recency of last Guardian engagement is not determinable from the public case study. Effective audit recency is likely under 365 days given ongoing Guardian retainer, but cannot be confirmed to a specific date. RD-F-003 yellow Resolved-without-proof findings Dedaub Nov 2022 audit listed all findings as Open at publication (critical: cancelOrder reentrancy; high: conditional order execution; mediums and lows). GMX v2 subsequently implemented a GlobalReentrancyGuard stored in DataStore (cross-contract protection) that architecturally supersedes the Dedaub finding. No public per-finding resolution commit mapping exists in the audits directory. Guardian's 7 pre-launch rounds imply findings were worked through iteratively, but formal proof-of-fix commit mapping is not published. RD-F-006 yellow Audit-to-deploy gap Guardian's last pre-launch engagement was 2023-07-28 (~7 days before 2023-08-04 launch - green). Sherlock Apr 2023 contest (commit a2e331f6) ended ~97 days before launch - just outside the 60-day green window. ABDK was post-launch (not a pre-deploy audit). The suite shows disciplined pre-launch timing with one exception (Sherlock Apr contest slightly outside window). Scored yellow rather than red given the excellent overall pre-launch audit posture. RD-F-009 yellow Formal verification coverage Certora ran FV on six modules (Bank, DataStore, Oracle, OracleStore, RoleStore, StrictBank) Aug 7-28 2023, with 39 wardens and 28 mutation test cases. No explicit overall invariant coverage percentage stated. Coverage is partial - the 6 modules covered are the most critical primitives but the full 95-contract system was not formally verified. RD-F-183 yellow Bug bounty scope gap on highest-TVL contracts Immunefi program covers ~250 assets on Arbitrum and Avalanche. Key exclusion is 'exploits that require access to Timelock admin keys or Fast Price Feed admin keys' - not a core contract exclusion. Highest-TVL contracts (GM market tokens, DataStore, ExchangeRouter on Arbitrum at $222M) appear to be in scope. MegaETH ($9M) and Botanix ($18K) deployments are not confirmed in the Immunefi scope, representing a minor gap for new chain deployments. RD-F-010 gray Static-analyzer high-severity count No published Slither/Mythril/Semgrep run exists for current deployed GMX v2 codebase. Tool run not feasible in dry-run mode. Guardian's 17+ audit rounds would have identified major static-analysis findings, but tool output for the current deployed state is not in the public record. Marked gray per methodology: source is verifiable but tool run needed. RD-F-016 gray Divide-before-multiply pattern No published Slither divide-before-multiply finding for current deployed codebase. Tool run not feasible in dry-run mode. GMX v2 uses Precision.sol with explicit decimal scaling. No confirmed finding in any public audit report. Gray per methodology - needs tool run. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned GMX v2 does not use the UUPS proxy pattern. Contracts are non-upgradeable in the proxy sense - logic contracts are redeployed on upgrades. No _authorizeUpgrade function exists. Factor is not applicable to this re-deploy architecture. RD-F-023 n/a Constructor calls _disableInitializers() Not applicable - GMX v2 does not use upgradeable proxies or OZ Initializable. _disableInitializers() is an OZ-proxy-specific defense. Since GMX v2 uses constructor-based non-proxy deployment, this pattern is irrelevant and its absence is not a vulnerability.

RD-F-004 green Audit count Five distinct audit firms: Guardian Audits (7 pre-launch + 10+ post-launch), Dedaub (Nov 2022), Sherlock (2 contests: Feb + Apr 2023), Certora (Aug 2023 FV), ABDK (Nov 2023). Far exceeds the >=2 firm threshold.

RD-F-005 green Audit firm tier Certora is Tier-1 (formal verification firm per taxonomy). Guardian Audits is established Tier-2 with large public track record. Dedaub is Tier-2. ABDK is Tier-2 mathematical audit firm. Sherlock is Tier-2 competitive platform. At minimum Certora qualifies as Tier-1.

RD-F-007 green Bug bounty presence & max payout Immunefi program active since 2021-10-20. Maximum payout $5,000,000 for critical smart contract vulnerabilities. ~250 assets in scope on Arbitrum and Avalanche. $2.6M paid across 22 reports. Far exceeds the >=500K green threshold.

RD-F-008 green Ignored bounty disclosure No post-mortem evidence of a vulnerability reported through responsible disclosure that the GMX v2 team ignored before exploitation. The July 2025 GMX v1 exploit was a v1/GLP architectural issue unrelated to v2 responsible disclosure. The Abracadabra March 2025 incident was a third-party integrator bug.

RD-F-011 green SELFDESTRUCT reachable from non-admin path GMX v2 uses a re-deploy (non-proxy) model. No SELFDESTRUCT opcode found in ExchangeRouter.sol or Oracle.sol. Post-EIP-6780 (Cancun, March 2024), SELFDESTRUCT only clears ETH balance in same tx unless contract was created in same tx, further limiting residual risk. Non-proxy architecture eliminates the primary SELFDESTRUCT attack vector.

RD-F-012 green delegatecall with user-controlled target No user-controlled delegatecall target found in reviewed core contracts. GMX v2 architecture routes all calls through typed handler dispatch with known addresses from RoleStore/DataStore registry. No user-supplied target is passed to delegatecall in any reviewed path.

RD-F-013 green Arbitrary call with user-controlled target ExchangeRouter and SubaccountRouter handle user calls through typed handler dispatch with registry-constrained targets. No evidence of .call(userTarget, userdata) with unconstrained target in reviewed contracts. Keeper execution routes through whitelisted keeper addresses.

RD-F-014 green Reentrancy guard on external-calling functions GlobalReentrancyGuard in contracts/utils/GlobalReentrancyGuard.sol implements cross-contract reentrancy protection via DataStore state (NOT_ENTERED=0 / ENTERED=1). This directly supersedes the Dedaub Nov 2022 critical finding (cancelOrder reentrancy). SubaccountRouter uses OZ nonReentrant. Core handlers inherit GlobalReentrancyGuard for cross-contract protection.

RD-F-015 green ERC-777/1155/721 hook without reentrancy guard GMX v2 explicitly excludes ERC-777 and other callback tokens via the whitelist mechanism. GMX known issues page states: 'tokens with callbacks (e.g. ERC-777 tokens) are not compatible with the system and should not be whitelisted.' No ERC-777/1155/721 callback integration path is intended, and the known-issues documentation confirms this explicitly.

RD-F-017 green Mixed-decimals math without explicit scaling GMX v2 uses Chainlink Data Streams with explicit 30-decimal precision pricing. Oracle validates prices with explicit decimal handling. Pre-launch Sherlock and Guardian audits covered multi-token arithmetic across 95 contracts. No confirmed live mixed-decimal bug in any public audit record.

RD-F-018 green Signed/unsigned arithmetic confusion Solidity 0.8.29 provides built-in overflow/underflow revert, equivalent to SafeMath. No confirmed signed/unsigned confusion finding in any public audit report for v2. Guardian's 84 researcher-weeks of pre-launch coverage included arithmetic paths.

RD-F-019 green ecrecover zero-address return unchecked RelayUtils.sol (gasless relay) uses ECDSA.tryRecover() from OZ rather than raw ecrecover(). tryRecover returns (address, RecoverError) and the implementation validates the error state before using the recovered address. No raw ecrecover usage found in reviewed contracts. address(0) vulnerability is mitigated.

RD-F-020 green EIP-712 domain separator missing chainId RelayUtils.sol's getDomainSeparator() function explicitly includes sourceChainId in the domain separator hash, following EIP-712 correctly. This prevents cross-chain replay attacks on gasless relay signatures. Cross-chain replay protection is properly implemented.

RD-F-022 green Public initialize() without initializer modifier GMX v2/synthetics uses constructor-based initialization throughout. ExchangeRouter.sol, Oracle.sol, and SubaccountRouter.sol all use standard constructors; no initialize() function found in any reviewed core contract. The non-proxy re-deploy model means there is no initializer vulnerability surface. Critical factor: CLEAN.

RD-F-024 green Code complexity vs audit coverage 14,000+ LOC audited across 84 researcher-weeks (Guardian pre-launch) = ~167 LOC/researcher-week. Guardian also contributed 15,000+ lines of tests. 39 Certora wardens for 3-week FV. 2 Sherlock contests. 5 audit firms total. Audit effort relative to code size is exceptional.

Governance & admin Green 20 24 of 24

RD-F-028 yellow Low-threshold multisig vs TVL 5-of-8 threshold meets or exceeds peer norm for $243M TVL. However, all 8 signer identities are publicly unverified (pseudonymous on-chain addresses only). Effective threshold may be lower if signers share custody or identity. Dev-identity-analyst required for OSINT. RD-F-032 yellow Timelock duration on upgrades All five timelocks (3 Arbitrum + 2 Avalanche) have minDelay=86400 seconds (24 hours). The operational Timelock enforces MAX_TIMELOCK_DELAY=5 days. 24-hour delay is functional but below the 48h+ tier-1 norm for a $243M TVL protocol. RD-F-033 yellow Timelock on sensitive actions Sensitive actions are partially timelocked. Signal-execute pattern (1-day) applies to role grants, oracle signer additions, fee receiver changes. Config changes route through ConfigTimelockController (1-day). However: revokeRole in RoleStore is immediate (no signal period); CONFIG_KEEPER can execute immediate config changes via Config.sol setters without any queue period. Two distinct bypass paths exist for the 1-day delay. RD-F-034 yellow Guardian/pause-keeper distinct from upgrader Security Committee (Season 4: Q, SniperMonke, Raoul, Owen + 1) provides advisory oversight but has no confirmed on-chain pause or veto powers. No dedicated guardian/pause-keeper role found on-chain separate from admin Safe. Role separation between governance path (Tally→GovTimelockController) and operational path (Safe→operational Timelock) exists. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle 18 distinct roles defined in Role.sol (ROLE_ADMIN, TIMELOCK_ADMIN, CONTROLLER, CONFIG_KEEPER, FEE_KEEPER, ORDER_KEEPER, ORACLE_SIGNER, GOV_TOKEN_CONTROLLER, etc.) — role-level separation exists in design. However, current role holders (which addresses hold ROLE_ADMIN, CONTROLLER, ORACLE_SIGNER on Arbitrum) cannot be confirmed without RoleStore enumeration (Arbiscan 403). Cannot confirm upgrade ≠ fee ≠ oracle at the address level. RD-F-037 yellow Quorum achievable via single-entity flash loan Quorum threshold not confirmed from data cache (governance.quorum_votes=null). Forum states simple majority (65%+1), 25,000 GMX minimum to propose. Flash loan attack not applicable given checkpoint voting (RD-F-036 green). Quorum achievability not fully assessed without on-chain Governor read. RD-F-039 yellow delegatecall/call in proposal execution without allowlist GovTimelockController is OZ TimelockController using standard call (not delegatecall). ExternalHandler.sol makes arbitrary call(target,data) with no target allowlist — only checks target.isContract(). The direct governance execution path does not route through ExternalHandler, but if a governance proposal targets ExternalHandler or a CONTROLLER-role holder directs it, arbitrary contract calls are possible. No in-sample incident occurred, but the architectural design is a latent risk. RD-F-040 yellow Emergency-veto multisig present Security Committee (4+1 members) has advisory mandate including reviewing upgrades and timelock transactions. However, forum post confirms no on-chain veto power. No dedicated veto multisig contract found. The 5-of-8 admin Safe could decline to sign malicious proposals but is not a formal on-chain veto mechanism. RD-F-041 yellow Rescue/emergencyWithdraw without timelock No dedicated rescue/emergencyWithdraw function found (GitHub search returned 0 results). Bank.sol transferOut is CONTROLLER-gated operational function. RoleStore.revokeRole() is immediate — no timelock signal required — confirmed by README. This creates a non-timelocked path where ROLE_ADMIN can strip critical roles instantly. Full drain requires combining immediate role revocation with role reassignment and then calling Bank.transferOut; not a single-tx drain but the immediate revoke capability reduces effective timelock protection. RD-F-042 yellow Admin has mint() with unlimited max Two unlimited-mint patterns found: (1) GovToken mint() by GOV_TOKEN_CONTROLLER — no supply cap (6.88M current supply); (2) MarketToken mint() by CONTROLLER — no supply cap per-market. The GMX trading token (0xfc5A1A6EB) is a separate ERC-20 not under this mint authority. GovToken minting dilutes governance votes; MarketToken minting by compromised CONTROLLER could fraudulently inflate LP positions. Both are role-gated. Not red: no single-address exploit path to drain user funds via mint alone. RD-F-029 gray Multisig signers co-hosted Signer co-hosting cannot be assessed — only on-chain EOA addresses available. No ASN/datacenter/custodian data. Deferred to dev-identity-analyst for OSINT. RD-F-030 gray Hot-wallet signer flag Hot-wallet vs hardware-wallet classification for 8 Safe signers not determinable from on-chain heuristics alone without dedicated analysis. No public hardware-signing attestations found. Deferred to dev-identity-analyst. RD-F-031 gray Signer rotation recency Signer rotation recency unknown. No OwnerAdded/OwnerRemoved events verified. Profile flags that post-July 2025 v1 hack, admin key changes should be checked. Arbiscan returned 403 on event queries. Cannot confirm or deny direction of any recent changes. RD-F-044 gray Admin wallet interacts with flagged addresses No Chainalysis, OFAC, or mixer-interaction data for Admin Safe 0x8D1d2e24eC641eDC6a1ebe0F3aE7af0EBC573e0D or its signers. Assessment requires curator watchlist tooling not available in this run. RD-F-045 gray Constructor args match governance proposal No deploy-authorization governance proposals found for individual contract deployments. Protocol used deployer EOA for contract deployment without on-chain governance authorization votes per contract. Cannot verify constructor args against proposal-stated args. RD-F-047 gray Governance token concentration (Gini) Gini coefficient of GMX_DAO governance token distribution not computed. 21,650 holders of ~6.88M supply. No on-chain holder distribution scan performed in this assessment run. RD-F-167 gray Deprecated contract paused but pause reversible by live admin No confirmed deprecated GMX v2 contracts holding material value and paused by a revertible admin role found. GMX v1 contracts are a separate codebase not controlled by the v2 admin Safe. Post-July 2025 hack, v1 trading was disabled but v1 admin is out of scope for v2 assessment.

RD-F-025 green Admin key custody type Admin custody type is multisig + multiple timelocks. 5-of-8 Gnosis Safe on Arbitrum is the protocol admin. Three timelocks (Timelock, GovTimelockController, ConfigTimelockController) all enforce 86400s minDelay. On-chain governance via Tally GovToken (ERC20Votes).

RD-F-026 green Upgrade multisig signer configuration (M/N) 5-of-8 threshold on the Arbitrum Protocol Admin Safe. Stored as required=5, total=8. No Avalanche-specific Safe confirmed in data cache.

RD-F-027 green Single admin EOA Admin is a 5-of-8 Gnosis Safe, not an EOA. Deployer EOA (0xE7BfFf2aB721264887230037940490351700a068) is the initial deployer but is not the current protocol admin. No single EOA holds upgrade or rescue authority.

RD-F-036 green Flash-loanable voting weight GovToken (0x2A29D3a792000750807cc401806d6fd539928481) implements ERC20Votes with checkpoint-based delegation. Voting power is based on checkpointed delegated balance at proposal creation block, not current token balance. Flash loans cannot retroactively acquire past-checkpoint voting weight. Supply: ~6.88M GMX_DAO, 21,650 holders.

RD-F-038 green Proposal execution delay < 24h GovTimelockController minDelay=86400s (24h). Total governance execution path: 5-day voting period + 24h timelock queue minimum. Well above the 24h threshold.

RD-F-043 green Admin = deployer EOA after 7 days Protocol launched August 2023 (>21 months ago). Current admin is 5-of-8 Gnosis Safe 0x8D1d2e24eC641eDC6a1ebe0F3aE7af0EBC573e0D. Deployer EOA 0xE7BfFf2aB721264887230037940490351700a068 is distinct from current admin. Transfer to multisig was completed before or at launch.

RD-F-046 green Contract unverified on Etherscan/Sourcify All core contracts are open-source (BUSL-1.1 license) and verified at launch. Source code accessible at github.com/gmx-io/gmx-synthetics; deployment JSON files cross-reference on-chain addresses with contract names. Docs.gmx.io lists all primary contract addresses.

Oracle & external dependencies Green 18 17 of 17

RD-F-049 yellow Oracle role per asset Primary oracle is GmOracleProvider (Chainlink Data Streams). ChainlinkPriceFeedProvider acts as a deviation-reference guard, NOT as an automatic fallback. If Data Streams price delivery fails, Oracle.sol reverts — it does not automatically fall back to on-chain Chainlink feeds for order execution. No declared secondary/fallback oracle per asset in the order execution path. RD-F-051 yellow Fallback behavior on oracle failure No automatic on-chain fallback on oracle failure. If GmOracleProvider signature verification fails (insufficient valid signers, stale timestamp, invalid signature), Oracle.sol setPrices() reverts — the order execution fails. Keepers must manually switch delivery mechanisms. ChainlinkPriceFeedProvider exists as a configurable alternate provider but is not auto-activated on primary failure. GMX docs known-issues acknowledges manual keeper intervention required. RD-F-052 yellow Breakage analysis per dependency Partial breakage analysis documented. GMX known-issues page covers: (1) sequencer downtime → keeper must manually pause; (2) keeper failure → orders not executed; (3) oracle outage → orders execute at stale prices or fail. Full formalized dependency-risk document with per-function impact classification does not appear to exist as a standalone publication. Major dependencies are covered in docs. RD-F-058 yellow Max-deviation threshold (bps) Circuit breaker exists (see RD-F-057 = green), but MAX_ORACLE_REF_PRICE_DEVIATION_FACTOR exact on-chain value not verified in this assessment. The value is stored in DataStore (Arb 0xFD70de6b91282D8017aA4E741e9Ae325CAb992d8) and requires a DataStore key-hash lookup to read. Without the on-chain value, full green cannot be confirmed. Yellow pending direct DataStore read. RD-F-059 yellow Oracle staleness check present Mixed staleness posture. Oracle.sol checks `validatedPrice.timestamp + maxPriceAge < Chain.currentTimestamp()` for GmOracleProvider (Data Streams) prices — this is a proper staleness check on the DON-signed timestamp. However, ChainlinkPriceFeedProvider (used as deviation reference) does NOT check updatedAt from latestRoundData() — it explicitly uses current block.timestamp. This means the reference price used in the circuit breaker could be stale. Data cache shows some feeds have 86400s heartbeat (BTC, ETH, USDC, AVAX) — potentially stale for up to 24h in the deviation reference. RD-F-060 yellow Chainlink aggregator min/max bound misconfig Chainlink on-chain AggregatorV3 feeds are used as deviation-reference guards, not primary prices. GMX Oracle.sol reads the feed answer value but does not enforce minAnswer/maxAnswer bounds at the GMX layer. For well-established Arbitrum feeds (ETH/USD 0x639Fe6ab55C921f74e7fac1ee960C0B6293ba612, BTC/USD 0x6ce185860a4963106506C203335A2910413708e9) bounds are typically not at Chainlink defaults, but this has not been verified on-chain in this assessment. Scored yellow — reference use limits but does not eliminate misconfig risk. RD-F-062 yellow External keeper/relayer not redundant ORDER_KEEPER role in RoleStore gates all order execution. Keepers are team-controlled whitelisted addresses (not permissionless). If keeper network goes offline or is compromised, all order execution halts — no permissionless fallback. GMX docs known-issues confirms keeper downtime prevents execution. Multiple keeper addresses likely exist but all are team-controlled (centralized operator set). L2 sequencer check is not automated for non-atomic actions per docs. RD-F-054 n/a TWAP window duration Not applicable — GMX v2 does not use DEX TWAP oracles. Primary oracle is Chainlink Data Streams (DON-signed pull). ChainlinkPriceFeedProvider uses AggregatorV3 latestRoundData() — a push oracle, not a TWAP. No Uniswap observe() or consult() calls in any oracle path. RD-F-055 n/a Oracle pool depth (USD) Not applicable — GMX v2 does not use DEX pool liquidity as an oracle price source. No pool depth measurement required. RD-F-056 n/a Single-pool oracle (no medianization) Not applicable — GMX v2 uses Chainlink Data Streams with internal DON medianization across multiple oracle nodes. Not a single DEX pool source. Medianization question for single-pool design does not apply. RD-F-181 n/a Permissionless-pool lending oracle Not applicable — GMX v2 is a perpetuals DEX, not a permissionless-pool lending protocol. F181 tests whether a lending protocol accepts spot prices from permissionlessly-created DEX pools without liquidity/age filters. GMX v2 does not have permissionless market creation with user-supplied oracle addresses. GM pools are team-deployed via MarketFactory with explicit oracle configuration. No lending borrow/supply mechanics present (data cache: borrow.present: false).

RD-F-048 green Oracle providers used GMX v2 uses a two-tier oracle architecture: (1) Chainlink Data Streams (pull-based, DON-signed) as primary high-frequency oracle via GmOracleProvider; (2) Chainlink on-chain AggregatorV3 push feeds (19 feeds, data cache) as reference/deviation guard via ChainlinkPriceFeedProvider. Both are established Chainlink products with documented SLAs. No DEX TWAP, no Pyth, no RedStone in primary path.

RD-F-050 green Dependency graph (protocols depended upon) Core v2 trading path dependencies: (1) Chainlink Data Streams DON (price signing); (2) Chainlink on-chain AggregatorV3 (deviation reference); (3) ORDER_KEEPER network (order execution); (4) Arbitrum sequencer uptime feed; (5) DataStore (oracle config, immutable in Oracle.sol constructor); (6) RoleStore (access control). No Uniswap/Aave/Curve/external DeFi protocol dependency in core trading path. GMX token contract is peripheral (fee distribution only).

RD-F-053 green Oracle source = spot DEX pool (no TWAP) [★ CRITICAL] Primary oracle is Chainlink Data Streams (pull-based, DON-signed). No spot DEX pool reads. GmOracleProvider uses ECDSA multi-signer verification on off-chain signed (minPrice, maxPrice) pairs. ChainlinkPriceFeedProvider uses AggregatorV3Interface.latestRoundData() — a push-oracle, not a DEX spot pool. No slot0(), getReserves(), observe() or TWAP-consult pattern found in any oracle path.

RD-F-057 green Circuit breaker on price deviation Circuit breaker present. Oracle.sol implements a reference price deviation check: GmOracleProvider prices are compared to Chainlink on-chain AggregatorV3 feed prices; if the deviation exceeds MAX_ORACLE_REF_PRICE_DEVIATION_FACTOR, the price is rejected and the transaction reverts. This guards against Data Streams delivering prices that diverge wildly from on-chain reference.

RD-F-061 green LP token balanceOf used for pricing GMX v2 does not use balanceOf-based LP token pricing. Trading prices for underlying assets use Chainlink Data Streams via GmOracleProvider — not ERC-20 balanceOf calls. GM (market) tokens represent pool shares but their redemption value is derived from on-chain pool accounting in DataStore, not from a balanceOf price call. No balanceOf-in-price-path pattern found.

RD-F-180 green Immutable oracle address [★ CANDIDATE — PD-017, held from critical-19 count. T-14 tracking required.] Oracle provider addresses are NOT immutable per-asset in GMX v2. Oracle.sol reads oracle provider per-token from DataStore via `dataStore.getAddress(Keys.oracleProviderForTokenKey(address(this), token))`. DataStore is configurable by CONTROLLER role (team via 5-of-8 Safe + Timelocks). Oracle providers can be swapped without redeploying Oracle.sol. Oracle.sol has three immutable constructor variables (DataStore, EventEmitter, sequencerUptimeFeed) — these are infrastructure references, not per-asset price feed addresses. Per-asset oracle routing is fully admin-replaceable. Contrast with Morpho Blue's immutable market-level oracle (F180 = RED for morpho-v1).

Economic risk Green 14 13 of 13

RD-F-063 yellow TVL (current + 30d trend) Current TVL is $242,974,521 as of 2026-05-05T09:51:39Z per DefiLlama API — above the $100M green floor but only marginally. The 30-day change is -8.22% (data cache sources.defillama.tvl_30d_change_pct). 1-day change is +0.74%, suggesting recent stabilization. The 12-month peak was approximately $355M (April 2025). The declining trend is attributable to competitive pressure (Hyperliquid growth) rather than protocol-specific risk, but directional momentum is negative. Yellow: TVL level is adequate but the sustained decline from peak warrants caution. RD-F-068 yellow Collateralization under stress Under a 50% drawdown of BTC/ETH: dual-token pools (WETH/USDC, WBTC/USDC) partially self-hedge because the pool's long-side collateral (WETH/WBTC) also drops, partially offsetting long-trader PnL (longs lose when price drops). Short-trader wins must be paid from pool USDC reserves; ADL fires when MAX_PNL_FACTOR_FOR_ADL is breached, preventing insolvency. Synthetic markets (SOL, LINK backed only by USDC short-side collateral) carry elevated ADL risk: rapid index price moves are not offset by collateral price appreciation. The LD Capital analysis (2023) specifically flags synthetic markets as having higher ADL frequency. A full simulation (on-chain per-market reserve factors, live OI, live pool balances) was not completed due to stats.gmx.io ECONNREFUSED and absent on-chain DataStore reads. Yellow: ADL mechanism is structurally sound on major BTC/ETH markets; synthetic market tail risk is elevated and unconfirmed by simulation. Reserve factor nominal range 0.5-0.95 per docs.gmx.io. RD-F-072 yellow Market-listing governance threshold GMX v2 operates a Listing Committee with delegated DAO authority for new market listings. For Season 4 (May 1 to October 31, 2026) the committee consists of three elected members: Snipermonke, Simon, and Immie. The committee evaluates new asset listing requests against criteria including on-chain liquidity depth, historical volatility, Chainlink Data Streams oracle availability, and Chaos Labs risk modeling. Committee members are DAO-elected via Snapshot vote and operate under a DAO governance mandate. New listings are not permissionless (anyone-can-list). However, listings also do not require a full DAO on-chain vote per individual listing — the committee has delegated authority. Per rubric: yellow = committee-level delegated threshold (between permissionless red and full DAO vote per listing green). Risk mitigation relies on committee accountability to DAO, not cryptographic access controls per listing. RD-F-064 gray TVL concentration (top-10 wallet share) GM pool LP token concentration across GMX v2 markets is not enumerable from available public sources. stats.gmx.io returned ECONNREFUSED on 2026-05-05. Dune Analytics queries are not accessible via WebFetch (JS-rendered SPA). No subgraph query was executed. Governance token (GMX) whale context exists from search results (Blocktower ~336K GMX, Arthur Hayes ~200K GMX per CryptoNewsNavigator) but this reflects governance token concentration, not GM LP pool concentration. LP pool concentration for individual GM market tokens cannot be confirmed. Gray: data source inaccessible. RD-F-066 gray Utilization rate (lending protocols) Lending utilization rate is not applicable — GMX v2 is a perpetuals DEX with no supply/borrow model (data cache sources.defillama.borrow.present = false). The perps-equivalent signal is OI utilization as a fraction of pool reserve capacity. The protocol documentation states 'only 40-50% of pool can be utilized' under standard reserve factor configuration. The DataStore enforces (pool tokens x reserve_factor) - reserved tokens = available liquidity, where reserve_factor is typically 0.5-0.95. Current live OI data is not accessible: stats.gmx.io returned ECONNREFUSED and the DefiLlama data cache open_interest_usd field is null. Gray is the correct classification per rubric: protocol is not a lending protocol (N/A for standard utilization rate), and live OI utilization could not be confirmed. RD-F-069 n/a Algorithmic / under-collateralized stablecoin GMX v2 is a perpetuals DEX (protocol type evm_perps_dex per 00-profile.md §1). It does not issue any stablecoin, algorithmic or otherwise. The protocol accepts USDC and other established stablecoins as collateral inputs but does not synthesize or mint a stablecoin. Factor RD-F-069 (algorithmic / under-collateralized stablecoin) is not applicable. RD-F-070 n/a Empty cToken-style market (zero supply/borrow) GMX v2 is not a Compound V2 fork. Profile §5 confirms: 'Not forked from any external protocol. GMX v2 is an original rewrite by the GMX core team.' The GM pool model uses ERC-20 market tokens (GM tokens) with a two-sided long/short collateral vault — not cToken supply/borrow accounting. MarketToken.sol source-code verified: declared as 'contract MarketToken is ERC20, Bank' — no Compound CErc20 interface, no totalSupply/totalBorrow lending primitives. The Compound donation/empty-market attack requires zero-supply and zero-borrow state on a cToken market followed by a direct token donation to inflate the exchange rate — none of these preconditions exist in GMX v2. The closely related first-depositor share-inflation risk is independently assessed as green under RD-F-075, with the RECEIVER_FOR_FIRST_DEPOSIT = address(1) guard confirmed in ExecuteDepositUtils.sol. RD-F-073 n/a Oracle-manipulation-proof borrow cap GMX v2 is a perpetuals DEX with no lending borrow caps (data cache sources.defillama.borrow.present = false). The factor addresses oracle-manipulation-proof borrow caps as a defense against DEX-TWAP oracle attacks on lending protocols. This vector does not apply to GMX v2. The analogous manipulation deterrents in GMX v2 are: (a) price impact fees that make large OI skew increasingly expensive as OI grows, (b) MAX_OPEN_INTEREST caps per market side (initially set at $256M for BTC/ETH, $4M for AVAX/LINK, $1M for other markets per Chaos Labs recommendations at v2 launch per LD Capital analysis), and (c) Chainlink Data Streams pull-oracle architecture which requires coordinated attack on multiple DON-signed price feeds. These serve analogous protective functions but are not DEX-TWAP borrow-cap vectors. Factor is not applicable. RD-F-074 n/a ERC-4626 virtual-share offset (OZ ≥4.9) GM tokens (market tokens) are standard ERC-20 tokens. MarketToken.sol source-code confirmed: declared as 'contract MarketToken is ERC20, Bank' — it inherits from OpenZeppelin ERC20 and a custom Bank contract. It does not implement the ERC-4626 vault interface (no deposit(), withdraw(), redeem(), totalAssets(), convertToShares(), convertToAssets() functions). The OpenZeppelin version in use is 4.9.3 per the data cache (github.oz_contracts_version). The ERC-4626 virtual-share inflation attack (where an attacker rounds down share minting via the virtualOffset in the 4626 accounting) does not apply to MarketToken because share accounting is handled externally in ExecuteDepositUtils.sol and MarketUtils.sol, not via the ERC-4626 interface. The analogous first-depositor protection is assessed under RD-F-075. Factor RD-F-074 is not applicable.

RD-F-065 green Liquidity depth per major asset Primary GM pool assets are WBTC, WETH, and USDC. BTC and ETH have deep on-chain liquidity across major DEXs — 2% price impact depth is well above any LP exit requirement implied by the $243M TVL. USDC is a dollar-pegged stablecoin with effectively unlimited depth at 2% price impact. Long-tail altcoin pools (DOGE, XRP, LTC, SHIB, WIF) have lower underlying asset liquidity, but the total long-tail pool allocation is estimated at less than 15% of TVL based on pool listing data and governance proposal context. The dominant pools are BTC and ETH denominated. Exit risk for large LP on a long-tail pool is real but not threshold-breaching for the protocol as a whole. Green: primary asset liquidity is adequate.

RD-F-067 green Historical bad-debt events GMX v2 (GM pools) has zero confirmed bad-debt events as of 2026-05-05. The July 2025 $42M exploit targeted GMX v1/GLP contracts (specifically a reentrancy in executeDecreaseOrder that manipulated GLP AUM calculations) — the v2/GM pool system was not exploited and sustained no loss. The attacker voluntarily returned approximately $37M, keeping a $5M bounty. The Abracadabra Money March 2025 incident ($13M loss) was caused by a bug in Abracadabra's own gmCauldron contract logic that used GMX v2 GM tokens as collateral; GMX v2 contracts were not exploited and no GM pool solvency loss occurred. GMX's ADL mechanism is specifically designed to prevent bad debt: positions are forcibly reduced when the PnL-to-pool ratio exceeds MAX_PNL_FACTOR_FOR_ADL. Green: no bad-debt events in GMX v2.

RD-F-071 green Seed-deposit requirement for new market listing GMX v2 enforces a first-deposit guard at the contract level in ExecuteDepositUtils.sol via the _validateFirstDeposit function. When marketTokensSupply equals zero (new or empty pool): (1) the deposit receiver is required to equal RECEIVER_FOR_FIRST_DEPOSIT = address(1), a burn address — any other receiver causes a revert; (2) deposit.minMarketTokens() must meet or exceed a protocol minimum floor; the contract reverts with InvalidMinMarketTokensForFirstDeposit if not satisfied. This is a mandatory code-enforced seed-deposit equivalent: initial GM token shares are routed to a burn address and no user can bootstrap a new market while retaining all initial shares. The contract source includes the comment 'this also helps to prevent manipulation of the market token price by the first depositor.' Green: seed-deposit requirement is code-enforced.

RD-F-075 green First-depositor / share-inflation guard GMX v2 implements an explicit first-depositor guard in ExecuteDepositUtils.sol via the _validateFirstDeposit function. When marketTokensSupply equals zero (new or empty pool): (1) RECEIVER_FOR_FIRST_DEPOSIT is defined as address(1) — a burn address — and the function reverts with InvalidReceiverForFirstDeposit if the deposit receiver is any other address; (2) deposit.minMarketTokens() must meet a protocol-defined minimum floor, reverting with InvalidMinMarketTokensForFirstDeposit otherwise; (3) any positive price impact USD amount is set to zero to prevent double-counting on the first deposit. The contract includes the inline comment 'this also helps to prevent manipulation of the market token price by the first depositor.' The classic share-inflation attack (first depositor mints 1 wei of shares, donates collateral to inflate share price, second depositor gets zero shares due to rounding) is blocked by routing all initial shares to the burn address. This is an on-chain code-enforced g

Operational history Green 17 15 of 15

RD-F-089 red Insurance coverage active No active third-party insurance coverage for GMX v2 found at scale relative to TVL. Nexus Mutual lists a GMX v2 GM token cover product via OpenCover with approximately $5M cover capacity — representing ~2% of the $242.9M current TVL. This is below the 5%-of-TVL green threshold. No Sherlock coverage program for GMX v2 found. No Unslashed program found. Score = red. This is the single red factor in Cat 5 and drives the yellow rollup. RD-F-088 yellow Re-deployed to new addresses in last year GMX v2 uses a re-deploy (not proxy-upgrade) model for logic contracts: 'Contract addresses change when logic contracts are upgraded' per official docs. Current ExchangeRouter address (0x1C3fa76e6E1088bCE750f23a5BFcffa1efEF6A41) differs from prior documented addresses (0x602b805E... and 0x7c68c786... visible on Arbiscan history), indicating redeployments have occurred. New GLV contracts, MultichainOrderRouter, and MultichainVault were also deployed in 2024-2025. This constitutes redeployment with documented protocol-level migration path. Score = yellow (redeployment with documented migration path; user-side stale approval revocation guidance unclear). RD-F-078 n/a Chronic-exploit flag (≥3 incidents) Zero v2-direct incidents. Chronic threshold of >=3 incidents not reached. Hacksdatabase contains one GMX entry (v1 only). Abracadabra Rekt II is categorized under Abracadabra, not GMX. RD-F-080 n/a Days since last exploit Zero v2-direct exploits; factor defaults to green (no incidents on record). The most recent v1 incident (July 9 2025) is ~300 days before assessment date 2026-05-05. Per the v1-does-not-count-for-v2 rule, the v2 reading is green on zero-incident basis. RD-F-081 gray Post-exploit response score No GMX v2 direct exploit has occurred; factor is N/A per methodology. Gray per template: 'no prior exploits (N/A)'. Context note: the v1 July 2025 response (if applied analogously) would score ~4.5/5 — full $44M compensation, same-day post-mortem, bounty paid within 48h — demonstrating strong team response capability. RD-F-082 gray Post-mortem published within 30 days No GMX v2 direct exploit has occurred; factor is N/A per methodology. Gray per template: 'no prior incidents (N/A)'. Context note: v1 July 2025 post-mortem was published July 10 2025 (next day after July 9 exploit), within 30 days. RD-F-083 gray Auditor re-engaged after last exploit No GMX v2 direct exploit has occurred; factor is N/A per methodology. Gray per template: 'no prior exploits (N/A)'. Context note: Guardian Audits has ongoing post-launch engagement covering v2 system updates (10+ engagements per profile §8). This provides general assurance but does not trigger the post-exploit re-audit condition since there is no v2 exploit. RD-F-084 n/a TVL stability (CoV over 90d) Full 90-day daily TVL series not available (DefiLlama HTML 403 known structural gap). Estimated from available data: current TVL $242,974,521 (data cache 2026-05-05); 30-day change -8.22%; 12-month peak ~$355M. Estimated CoV from this range is approximately 0.20-0.30 if the window includes the July 2025 v1 hack confidence shock (TVL likely dipped sharply in that period due to sentiment spillover). Estimated CoV for a normalised window excluding the hack period would be ~0.12-0.15 (green-yellow boundary). Conservative yellow at medium confidence. Curator should verify via api.llama.fi/protocol/gmx-v2-perps full daily series. RD-F-085 gray Incident response time (minutes) No GMX v2 direct exploit has occurred; factor is N/A per methodology. Gray per template: 'no prior incidents (N/A)'. Context note: for the v1 July 9 2025 exploit, GMX first public statement appeared same day per multiple sources; exact minute-count not confirmed but sub-240-minute response category is supported.

RD-F-076 green Protocol age (days) GMX v2 (Arbitrum, primary deployment) launched 2023-08-04. Age at 2026-05-05: approximately 639 days (~21 months). Well above the 365-day green threshold and the 12-month A-grade live-time floor. Avalanche v2 live since 2024-06-27 (~11 months, secondary).

RD-F-077 green Prior exploit count Zero direct GMX v2 exploits across ~21 months live. Three incidents in the incident register are v1-only (Sept 2022 AVAX oracle manipulation, July 2025 reentrancy) or third-party integrator bugs (March 2025 Abracadabra gmCauldron exploit where GMX v2 contracts were not exploited). Hacksdatabase gmx.md entry is v1-only; abracadabra-rekt2.md confirms GMX v2 contracts were unaffected. Data cache hacks field is empty. Score = green (0 direct v2 exploits).

RD-F-079 green Same-root-cause repeat exploit Zero v2-direct exploits; no repeat root-cause cluster possible for v2. Note: GMX v1 had two incidents sharing the same non-atomic global-short-state root-cause class (2022 Collider VC bounty and July 2025 reentrancy), but both are v1 incidents. Per the v1-exploit-does-not-equal-v2-incident interpretation rule, this does not constitute a v2 same-root-cause repeat.

RD-F-086 green Pause activations (trailing 12 months) No GMX v2 (GM pool) protocol pause activations found in the trailing 12 months (2025-05-05 to 2026-05-05). The July 2025 v1 hack caused GLP trading to be paused on v1; GMX v2 was explicitly not paused and remained operational throughout. The Guardian multisig holds a pause capability on v2 per search results but it was not exercised. Score = green (0 documented v2 pause activations).

RD-F-087 green Pause > 7 consecutive days No GMX v2 protocol-wide pause lasting more than 7 consecutive days found in the trailing 12 months. GMX v2 was not paused during the July 2025 v1 incident. Score = green.

RD-F-166 green Deprecated contracts still holding value No formally-announced deprecated GMX v2 contracts with >$100K residual value identified. GMX v2 uses periodic ExchangeRouter redeployments as its standard upgrade mechanism, but no contract has been formally announced as deprecated with a published prior-address list. GMX v1 is a distinct parallel protocol, not a deprecated v2 surface. Score = green (no confirmed deprecated surface holding material value per formal deprecation announcement).

Real-time signals Green 3 22 of 22

RD-F-099 yellow Oracle price deviation >X% from secondary GMX v2 uses Chainlink Data Streams (pull-based, DON-signed). Oracle prices delivered by whitelisted ORACLE_SIGNER addresses in RoleStore (0x3c3d99FD298f679DBC2CEcd132b4eC4d0F5e6e72 on Arbitrum). ORACLE_SIGNER addresses not publicly enumerated in docs.gmx.io — centralization surface. 19 Chainlink push-feed addresses in data cache serve as reference/fallback. No confirmed >1% sustained oracle deviation at assessment date. Yellow structural risk: GMX docs explicitly note no automated L2 sequencer liveness check — keepers must manually pause on Arbitrum sequencer outage, creating a window where stale prices could be accepted. Signal not in production scope (phase-2). Threshold: |primary-secondary|/primary > 1% sustained >=4 blocks. RD-F-091 gray Partial-drain test transactions No documented small-value probe transactions targeting GMX v2 contracts consistent with a pre-drain pattern at assessment date. The July 2025 v1 attack had a compressed timeline (Tornado Cash funding 2025-07-07, exploit 2025-07-09 — 2-day window, not an extended reconnaissance phase). No partial-drain test transactions on GMX v2 GM pools documented in public sources. Signal requires on-chain mempool monitoring to assess. Gray — not confirmed by public data. RD-F-092 gray Unusual mempool pattern from deployer wallet No unusual deployer wallet activity documented at assessment date. GMX v2 relevant deployer: GovTimelockController deployer 0xE7BfFf2aB721264887230037940490351700a068; legacy v1 deployer 0x5f799f365fa8a2b60ac0429c48b153ca5a6f0cf8 (labeled 'GMX: Deployer' on Arbiscan). Last repo commit 2026-04-27 indicates active development. No anomalous deploy burst or mass-approval sequence documented in public search. Direct Arbiscan fetch blocked (403). Requires mempool monitoring. RD-F-093 gray Abnormal gas-price willingness from attacker wallet No documented >=5x median gas priority-fee spike from unidentified wallets interacting with GMX v2 core contracts at assessment date 2026-05-05. Signal requires real-time mempool monitoring. Gray — not assessable from public data. RD-F-094 gray New contract with similar bytecode to exploit template The July 2025 v1 exploit created a known reentrancy exploit template (gmxPositionCallback callback reentrancy pattern in executeDecreaseOrder). However, GMX v2 architecture closes this path: short average price calculation occurs in the same contract as order execution, eliminating the cross-contract reentrancy surface. No contract with bytecode similarity to a GMX v2-specific exploit template documented in public data. V1 template exists in public hack DB but is not applicable to v2 architecture. RD-F-095 gray Known-exploit function-selector replay V1 exploit used gmxPositionCallback reentrancy selector pattern. GMX v2 removed this callback pathway. No v2-equivalent known-exploit selector replay pattern documented. Signal requires on-chain selector pattern monitoring. Gray — v1 selector not applicable to v2 architecture; no v2-specific replay pattern in public exploit DB. RD-F-096 gray New ERC-20 approval to unverified contract from whale No documented large-user approval to unverified contract interacting with GMX v2 at assessment date. GMX v2 pull-oracle / keeper architecture means users primarily interact via signed orders (not direct approvals to protocol contracts), which reduces the attack surface relative to lending protocols. GM token (LP token) approvals to unverified contracts would still be applicable. Requires on-chain approval monitoring. Gray — not confirmed by public data. RD-F-097 gray Sybil surge of identical-pattern transactions No documented sybil surge of identical-pattern transactions targeting GMX v2 order execution or oracle keeper behavior at assessment date. Requires on-chain pattern clustering. Gray — not confirmed by public data. RD-F-098 n/a TVL anomaly — % drop in <1h TVL at assessment date 2026-05-05: $242,974,521 total (Arbitrum $222,668,833 / 91.6%; Avalanche $11,233,013 / 4.6%; MegaETH $9,054,141 / 3.7%). 30d change: -8.22%. Daily change: +0.74% (recent stabilization). Tier-A threshold (30% drop in 1h): not breached. Tier-B precursor (TVL_now/TVL_(t-15m) < 0.93 AND top-3 outflows to non-allowlisted addresses): not triggered. Yellow rationale: -8.22%/30d sustained decline from peak ~$355M (Apr 2025) to $243M is a trend worth monitoring. Not a fire but elevated vs zero-drift baseline. Daily stabilization at +0.74% reduces urgency. RD-F-103 gray Bridge signer-set change proposed/executed GMX v2 core trading protocol has no bridge surface (layerzero.present: false per data cache; each chain deployment has independent isolated pools). Signal is structural N/A for the trading protocol. Admin Safe threshold confirmed stable at 5-of-8 (per Safe API data cache, fetched 2026-05-05T09:51:39Z); no threshold change event detected. The GMX governance token uses LayerZero OFT (gmx-token-lz repo) but this is peripheral and out of the trading contract scope. Gray — N/A for protocol type. RD-F-106 gray Cross-chain bridge unverified mint pattern GMX v2 core trading protocol has no bridge surface. Each chain deployment (Arbitrum, Avalanche, MegaETH, Botanix) runs independent isolated pools with no protocol-owned cross-chain messaging. layerzero.present: false per data cache. N/A. RD-F-107 gray Admin EOA signing from new geography/device Off-chain signal requiring device fingerprint / session-key telemetry from signing hardware or MPC provider. Not assessable from public data. GMX team is pseudonymous (xdev_10); geographic signing patterns not documented. Gray — structurally not assessable without proprietary telemetry. RD-F-109 gray Social-media impersonation scam spike No documented spike in Discord/Telegram/X accounts impersonating GMX DeFi protocol team or announcing fake airdrops at assessment date. Note: search results surfaced GMX.net/GMX.com email service phishing incidents — these are a separate unrelated entity (Global Mail eXchange). No DeFi-specific GMX protocol impersonation spike confirmed. Profile §9 notes Discord not confirmed from public search. Requires social-media monitoring tool. Gray — no specific spike confirmed.

RD-F-090 green Mixer withdrawal → protocol interaction No confirmed mixer-funded wallet interaction with GMX v2 core contracts (ExchangeRouter 0x1C3fa76e6E1088bCE750f23a5BFcffa1efEF6A41, DataStore 0xFD70de6b91282D8017aA4E741e9Ae325CAb992d8, OrderVault 0x31eF83a530Fde1B38EE9A18093A333D8Bbbc40D5) at assessment date 2026-05-05. The July 2025 v1 exploit attacker was funded via Tornado Cash (2 ETH on 2025-07-07 per Cyvers/Decrypt analysis), but targeted v1 GLP pool contracts only; GMX v2 was not involved. Threshold: wallet withdrew from Tornado Cash/Railgun within 30 days AND value >$100k AND >=2 attribution sources. Signal would not fire today.

RD-F-100 green Flash loan >$10M targeting protocol tokens No documented flash loan >$10M targeting GMX v2 oracle or market contracts at assessment date. Pull-oracle design (Chainlink Data Streams) structurally reduces flash-loan oracle price manipulation risk compared to push-oracle protocols — oracle prices are DON-signed off-chain and not readable from on-chain DEX spot pools. Flash loans can still be used to scale position sizes but cannot directly manipulate the price feed. The July 2025 v1 exploit used reentrancy (not flash loan oracle manipulation) and targeted v1 only. Threshold: flash loan >$10M USD AND receiver contract interacts with protocol oracle, market, or governor in same tx.

RD-F-101 green Large governance proposal queued Tally GMX governance page queried at assessment date shows 'No proposals created yet / No active proposals.' GovTimelockController (Arbitrum) at 0xFBEff82f2DD5E51B8AF34b57cf788b4b09d466F9 with 86400s minDelay. Minimum 25,000 GMX to propose. Two historical executed proposals confirmed (Treasury Swap and Buyback GMX) — governance is live and has executed legitimate proposals. No malicious-pattern proposal (containing grantRole, setAdmin, upgradeTo, delegatecall to non-allowlisted target) queued at assessment date. Signal would not fire.

RD-F-102 green Admin/upgrade transaction in mempool No admin/upgrade mempool transaction documented at assessment date. All upgrades require 86400s timelock delay across five timelocks (Timelock Arb 0x7A967D114B8676874FA2cFC1C14F3095C88418Eb, GovTimelockController Arb 0xFBEff82f2DD5E51B8AF34b57cf788b4b09d466F9, ConfigTimelockController Arb 0xC77E6C0ca99E02660A23c00A860Dd5a8912DEaF5, and Avalanche equivalents). Any queued upgrade is observable on-chain for 24 hours before execution. Phase-2 signal — not in production scope. Threshold: pending tx from admin address to protocol contracts with admin-function selector AND no matching queued governance proposal.

RD-F-104 green Stablecoin depeg >2% on shared-LP venue No USDC/USDT/DAI/FRAX depeg >2% sustained >=30 min documented at assessment date 2026-05-05. GMX v2 short collateral is limited to USDC, USDT, DAI, or FRAX per protocol docs. Protocol exposure to major stablecoins easily exceeds 5% of TVL threshold given they form the short-side collateral across all markets. Signal applicable and would fire if any of these stablecoins depegged >2% sustained. Current posture: all major stablecoins on-peg. Threshold: |price_now - peg|/peg > 2% on >=2 venues sustained >=30 min AND protocol exposure >=5% of TVL.

RD-F-105 green DNS/CDN/frontend hash drift gmx.io domain: registered 2015-05-01, registrar Cloudflare Inc, expiry 2028-07-31, privacy protection enabled (DATA REDACTED for registrant per WHOIS). No DNS record change, TLS certificate issuer change, or JS bundle hash drift documented in public data at assessment date. Cloudflare as CDN/registrar provides DDoS and SSL protections. No reported frontend compromise for GMX DeFi protocol in the assessment window. Threshold: hash of DNS record set, TLS cert issuer, or JS bundle differs from last-known-good baseline AND no change-management allowlist entry.

RD-F-108 green GitHub force-push to sensitive branch No GitHub Security Advisory (GHSA), force-push alert, or unauthorized push to main branch documented for gmx-synthetics repo at assessment date. GitHub repo is public (https://github.com/gmx-io/gmx-synthetics). Last commit 2026-04-27 from repository maintainers. data cache github.changelog_present: false, security_md_present: false (gaps but not anomalies). No force-push or non-protocol-account push detected in public search.

RD-F-110 green Unusual pending/executed proposal ratio Unusual pending/executed governance proposal ratio. Tally GMX governance queried at assessment date 2026-05-05 shows 'No proposals created yet / No active proposals.' Two historical proposals confirmed as executed (Treasury Swap; Buyback GMX and Distribute GMX). No pending proposals queued. Pending/executed ratio = 0/2 = 0.0. No anomalous accumulation of pending unexecuted proposals relative to a trailing baseline. Signal does not fire.

RD-F-182 green Security-Council threshold reduction (RT) F182 batch-24 RT signal: Security-Council threshold reduction event. GMX admin Safe confirmed stable at 5-of-8 threshold (Safe API data cache, fetched 2026-05-05T09:51:39Z at 0x8D1d2e24eC641eDC6a1ebe0F3aE7af0EBC573e0D). All five timelocks confirmed at 86400s minDelay (1-day) with no reduction documented. Security Committee Season 4 (May 1 — Oct 31, 2026) was constituted via governance vote, not via unilateral threshold reduction. No signer addition within <=14 days of a threshold change. Drift Protocol analog: Drift Apr 2026 had 3/5 -> 2/5 + timelock removal 6 days before $285M DPRK exploit. GMX Safe is 5/8 with no recent change — does not match precursor pattern. Signal would not fire.

Dev identity & insider risk Green 18 16 of 16

RD-F-111 yellow Team doxx status Core dev (xdev_10/xvi10 pseudonyms) has 4-year consistent track record: XVIX (2021) → Gambit Financial → GMX v1 → GMX v2. Category = consistent-pseudonym-with-track-record. 2 of 8 admin Safe signers are real-name doxxed (Krunal Amin — UniDex founder; Benjamin Simon — Stealth Crypto co-founder). 6 of 8 Safe signers are unidentified. Team is not fully anonymous but lacks real-name accountability at the core dev level. RD-F-112 yellow Team public accountability surface Core dev accountability: GitHub (4 years, gmx-io/gmx-synthetics), Twitter @xdev_10, gov.gmx.io forum posts — no LinkedIn, no real name, no employer. Krunal Amin: LinkedIn, UniDex CEO, news coverage, conference presence (score ~4/5). Benjamin Simon: LinkedIn, Stealth Crypto co-founder (score ~3/5). 6 of 8 Safe signers: zero public accountability trail (score 0/5). Blended across all privileged wallets: low (~1.5/5). Core dev alone would score ~2/5. RD-F-116 yellow Contributor tenure at admin-permissioned PR GitHub org gmx-io has no public members. Commit history shows xdev10, xvi10, gmxer, dmax10 as contributors with activity spanning Nov 2024 – Apr 2026 in visible window; repo dates to 2021 origin. Cannot confirm PR author tenure for most recent admin-permissioned change without authenticated GitHub API. Given 4-year repo history and consistent contributor handles, core contributors likely exceed 365 days. Scored yellow per scoring discipline (insufficient programmatic confirmation). RD-F-117 yellow ENS/NameStone identity bound to deployer Legacy deployer 0x5f799f365fa8a2b60ac0429c48b153ca5a6f0cf8 has ENS 'xvix.eth' bound — provides verifiable identity linkage to XVIX predecessor protocol. Primary v2 deployer 0xe7bfff2a... has no confirmed ENS name from available sources. Partial: one of two deployer addresses has ENS, maps to consistent protocol lineage. Not full green because primary v2 deployer lacks confirmed ENS binding. RD-F-119 yellow Commit timezone consistent with stated geography GitHub contributors (xdev10, xvi10, dmax10, gmxer, gdev8317, coltgmx) active across Nov 2024 – Apr 2026. Team does not publicly state a geography. No anomalous timezone pattern identified from available data, but commit-hour granularity is insufficient to perform a rigorous timezone anomaly check. Scored yellow per scoring discipline: stated geography unknown, no flagging, but cannot clear programmatically. RD-F-120 yellow Video-off/voice-consistency flag Core dev (xdev_10/xvi10) operates fully pseudonymous and has not appeared on video in any public forum, conference, or podcast to public knowledge. No on-camera appearance found for any core contributor. Krunal Amin and Benjamin Simon are real-name signers but their video appearances in GMX-specific context were not confirmed. Scored yellow: pseudonymous lead dev with no public video appearance is a mild concern (not a red signal in isolation). RD-F-121 yellow Contributor OSINT depth score xdev_10: OSINT depth 2/5 — GitHub history, forum posts, Twitter handle; no real name, LinkedIn, employer. Krunal Amin: 4/5 — LinkedIn, UniDex CEO identity, news. Benjamin Simon: 3/5 — LinkedIn, Stealth Crypto role, news. Security Committee members (Q, SniperMonke, Raoul, Owen): 1/5 each (forum-only identity). 6 of 8 Safe signers: 0/5. Blended across all privileged role holders: approximately 1.5/5. Does not meet a green threshold (≥3.5 average across lead decision-makers). RD-F-123 yellow Sudden admin-rescue/ACL change without discussion Three independent timelocks (86400s each: Timelock, GovTimelockController, ConfigTimelockController) provide structural pre-execution observation window for governance and config changes. Tally governance has 2+ executed proposals with public discussion preceding execution. Security Committee Season 4 has forum-posted mandate (gov.gmx.io/t/gmx-security-committee-season-4/5051). No specific admin-rescue or unannounced ACL change event found in last 180 days from accessible public sources. However: (a) 6 of 8 Safe signer identities are unknown — signer rotation events could occur without public discussion; (b) RoleStore ACL enumeration not completed (deferred to governance-admin-analyst); cannot confirm all recent role grants were preceded by governance discussion. Scored yellow, not red: timelocks provide mitigation but opacity of signer set prevents green clearance. RD-F-184 gray Real-capital social-engineering persona RD-F-184 is an M-only (manual curation) factor. No curator-flagged social-engineering persona with ≥$1M real-capital deposits to GMX or peer protocols has been identified. The canonical comparator pattern (Drift Protocol April 2026, UNC4736/TraderTraitor 6-month persona build-up) targeted Drift, not GMX. No OSINT surface suggests a suspicious 'external contributor' or 'integrator' persona with large deposits building credibility within GMX. Scored gray per methodology: absence of positive curator evidence cannot be converted to green without the affirmative confirmation framework pending PD-019. Drift-comparator pattern cited for reference.

RD-F-113 green Team other-protocol involvement history All identified team members have clean prior protocol history. Core dev: XVIX (2021) → Gambit Financial → GMX — 4-year unbroken track record with no rug exit; GMX is one of Arbitrum's largest protocols by TVL. Krunal Amin: UniDex is active live protocol. Benjamin Simon: Stealth Crypto is active. Web search for 'GMX rug exit scam deployer' returned zero adverse results. Rekt data cache: empty array for GMX v2 exploits. Gambit/XVIX migration was a community-approved rebrand, not a rug.

RD-F-114 green Deployer address prior on-chain history Primary v2 deployer 0xe7bfff2aB721264887230037940490351700a068 is labeled 'GMX: Deployer' by Arbiscan (confirmed via search snippet). Deployed DataStore on Arbitrum 2023-07-04 per search data. Legacy deployer 0x5f799f365fa8a2b60ac0429c48b153ca5a6f0cf8 has ENS 'xvix.eth' bound — maps to XVIX predecessor protocol (clean lineage). No linked-to-prior-rug label found on either address. Normal dev history with multiple GMX-related contract deployments.

RD-F-115 green Prior rug/exit-scam affiliation No rug or exit-scam affiliation found for any identified team member. Gambit/XVIX predecessor was a community-approved migration (not a rug). Web search 'GMX rug exit scam deployer': zero adverse results. Data cache rekt.incidents: empty. DeFiLlama hacks: empty for gmx-v2-perps. The July 2025 GMX v1 exploit was an external attacker event, not a team-initiated rug.

RD-F-118 green Handle reuse across failed/rugged projects No handle reuse across failed or rugged projects found. xdev_10/xdev10 GitHub and Twitter handles have been consistently linked to GMX since XVIX/Gambit era (~2021). gov.gmx.io posts show xdev_10 as a long-standing protocol developer. Krunal Amin (UniDex) and Benjamin Simon (Stealth Crypto) have unambiguous non-rugged project associations. No prior-rug alias detected for any identified handle.

RD-F-122 green Contributor paid to DPRK-cluster wallet No contributor wallet payment traced to DPRK/Lazarus cluster found. July 2025 exploit attacker funded themselves via Tornado Cash (2 ETH, July 7, 2025) — this is attacker personal funding, not a protocol payment to a contributor. Protocol does not publicly disclose individual contributor payment wallet addresses. No Chainalysis, TRM, OFAC, or analogous public report links any GMX team payment address to DPRK cluster. Admin Safe is the protocol treasury; no adverse flag on its origin.

RD-F-124 green Deployer wallet mixer-funded within 30 days Primary v2 deployer 0xe7bfff2aB721264887230037940490351700a068 deployed DataStore on Arbitrum 2023-07-04. No Tornado Cash or mixer interaction attributable to this deployer within 30 days of 2023-07-04 found across multiple independent search paths. The July 2025 attacker used TC to fund their personal wallet (2 ETH, July 7 2025) — this is an external exploiter's self-funding event 2 years after the v2 deploy, by a different address. Deployer wallet received a zero-value message from the attacker on July 11 2025 — passive receipt, not a mixer interaction. No adverse mixer flag for the deployer address.

RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus No DPRK or Lazarus Group linkage found for any GMX team member, deployer wallet, or admin signer. Web search 'GMX team DPRK Lazarus North Korea' returned only generic Lazarus Group background articles — zero GMX-specific results. July 2025 GMX v1 hack: Halborn, Sherlock, SlowMist, CertIK analyses all describe an unattributed (likely white-hat) attacker who returned 89% of funds; no North Korean attribution across any source. ZachXBT noted Circle did not freeze USDC tied to this exploit but did not attribute to DPRK. OFAC SDN: no GMX team or signer entry. External attackers using GMX as a drain venue do NOT contaminate F125 per scoring instructions. ESCALATION NOT REQUIRED.

Fork / dependency lineage Green 0 10 of 10

RD-F-126 n/a Is-a-fork-of GMX v2 is an original implementation. No upstream protocol declared. Profile §5 confirms: 'Not forked from any external protocol. GMX v2 is an original rewrite by the GMX core team.' Repo has no forked-from declaration. RD-F-127 n/a Upstream patch not merged Not applicable - GMX v2 has no upstream protocol. Original implementation per profile §5. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) Not applicable - GMX v2 has no upstream protocol to disclose vulnerabilities. Original implementation per profile §5. RD-F-129 n/a Code divergence from upstream (%) Not applicable - no upstream to diff against. Original implementation per profile §5. RD-F-130 n/a Fork depth (generations from original audit) Fork depth = 0 (not a fork). Original implementation per profile §5. Factor measures hop count from originally-audited protocol - N/A for originals. RD-F-131 n/a Fork retains upstream audit coverage Not applicable - no upstream audit to retain or lose. Original implementation per profile §5. RD-F-132 n/a Fork has different economic parameters than upstream Not applicable - no upstream economic parameters to diverge from. Original implementation per profile §5.

RD-F-133 green Dependency manifest uses unpinned versions package.json pins @openzeppelin/contracts at '4.9.3' (exact, no caret). Chainlink Contracts pinned at '1.1.0' (exact). PRB Math pinned at '2.4.3' (exact). Hardhat uses ^2.26.1 but is a dev tool not deployed. forge-std submodule is dev-only. OZ and Chainlink - the security-critical deployed libraries - are exact-version pinned.

RD-F-134 green Dependency had malicious-release incident (last 90d) No malicious release advisory found for OZ 4.9.3, Chainlink 1.1.0, or forge-std in trailing 90 days as of 2026-05-05. OZ 4.9.3 is itself a security patch release (CVE-2023-40014 fix). No supply chain attack incidents reported against these packages.

RD-F-135 green Shared-library version with known-vuln status OZ 4.9.3: CVE-2023-40014 (ERC2771Context _msgSender returns address(0)) is patched in 4.9.3 itself - GMX v2 uses the patched version. No evidence GMX v2 uses ERC2771Context or custom trusted forwarder pattern. OZ 4.9.4 has a Duplicated subcall bug but GMX is pinned at 4.9.3 (not 4.9.4). The 4.9.3 pinned version is clean for GMX v2's use case.

Post-deploy hygiene & change mgmt Yellow 20 13 of 13

RD-F-136 yellow Deployed bytecode matches signed release tag Two GitHub releases visible: V2.1 (commit ca7d92b) and V2.2 (commit ee721b7). Deployment JSON files in repo link contract addresses to source. However, releases are not GPG-signed; 'signed release-tag' in strict sense unverifiable. No independent bytecode reproducibility check performed. RD-F-137 yellow Upgrade frequency (per 90 days) High upgrade frequency. GMX v2 uses re-deploy model. V2.1 June 2024, V2.2 September 2024. Multiple new contracts deployed in 2024-2025: GLV suite, ConfigTimelockController, ConfigSyncer with RiskOracle, Multichain/LayerZero suite. Last GitHub commit to contracts: 2026-04-27 (per data cache). Active ongoing development. RD-F-139 yellow Post-audit code changes without re-audit Last individually linkable audit: ABDK (November 2023, commit 298c6d7f). Significant post-ABDK deployments without individually-linked audit PDFs: GLV vault suite, ConfigTimelockController, ConfigSyncer+RiskOracle, LayerZeroProvider and full Multichain suite, V2.1 features, V2.2 features. Guardian case study references 10 post-launch engagements covering GLV/multichain/gasless — ongoing coverage substantially mitigates risk but individual audit PDFs for specific features are not publicly individually linked with commit-hash coverage documentation. Not red due to documented ongoing Guardian coverage. RD-F-145 yellow Deployed bytecode reproducibility Source code is public (BUSL-1.1); foundry.toml and hardhat config both present (data cache). Build toolchain is documented. Full bytecode reproducibility (compile locally to get byte-for-byte match) not independently verified in this assessment. Partial evidence supports reproducibility. RD-F-168 yellow Stale-approval exposure on deprecated router GMX v2 re-deploy model means that when routers are upgraded, old approved addresses remain active for users who approved them. GMX docs note 'contract addresses change when logic contracts are upgraded' and 'integration updates' required — acknowledging stale approval hygiene gap. No active allowance scan performed; no current count of stale approvals to deprecated router addresses. Known architectural hygiene issue in re-deploy models. RD-F-185 yellow Bridge rate-limiter / chain-pause as positive mitigant No explicit on-chain rate-limiter (per-window outflow cap) confirmed for the primary GMX v2 trading protocol. LayerZeroProvider.sol validates endpoint/provider (structural control) but no volume cap. Arbitrum sequencer has emergency powers but GMX does not control Arbitrum chain pauses. Operational manual pause demonstrated when GMX v1 trading was disabled post-July 2025 hack — but this is team operational action not a programmatic rate-limiter. Partial mitigant present (operational capability) but no formal on-chain rate-limit mechanism. RD-F-138 gray Hot-patch deploys without timelock (last 30 days) Hot-patch deploys without timelock in last 30 days cannot be assessed. Re-deploy model means no Upgraded events to track; new contract deploys at new addresses are the upgrade mechanism. Arbiscan deploy event history unavailable (403). No confirmed hot-patches from public sources. RD-F-144 gray CREATE2 factory permits same-address redeploy CREATE2 factory usage in market/GLV token deployment not confirmed. MarketFactory deploys per-market MarketTokens. Whether CREATE2 allows redeployment to same address with different bytecode is not confirmed without MarketFactory source inspection. RD-F-146 gray New contract deploys in last 30 days New deploys in last 30 days not verified. Active development (last GitHub commit 2026-04-27 per data cache) suggests ongoing activity but specific new contract deploys in April-May 2026 not confirmed without Arbiscan scan.

RD-F-140 green Fix-merged-but-not-deployed gap No confirmed 'fix merged but not deployed' case found. Pre-launch Dedaub (2022-11) and ABDK (2023-11) audits had findings addressed before or at launch. No post-launch undeployed fix pattern identified from public sources.

RD-F-141 green Test-mode parameters in deploy No test-mode parameters found in production. Admin is 5-of-8 Safe (not deployer). Oracle uses Chainlink Data Streams (not test oracle). No infinite allowances or test-only configurations found.

RD-F-142 green Storage-layout collision risk across upgrades GMX v2 uses re-deploy (not proxy upgrade) model — logic contracts get new addresses on upgrade; DataStore and RoleStore are the persistent state layer with static addresses. No proxy implementation slot exists; storage-layout collision is not applicable to this architecture.

RD-F-143 green Reinitializable implementation (no _disableInitializers) No proxy/upgradeable pattern used in GMX v2. Contracts use constructors for initialization, not initialize() functions. GitHub search for _disableInitializers returned 0 results — consistent with non-upgradeable architecture. Oracle.sol uses immutable variables. GovToken, MarketToken, Bank all use constructors.

Cross-chain & bridge Gray 0 12 of 12

Threat intelligence & recon Green 0 8 of 8

RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) No documented mempool probe from known attacker cluster to GMX v2 core contracts at assessment date. Signal requires live mempool monitoring + TI cluster feed. Not assessable from public data. Gray. RD-F-160 gray GitHub malicious-dependency incident touching protocol deps No GitHub Security Advisory (GHSA) specifically targeting a dependency used by gmx-synthetics documented at assessment date. The September 2025 Shai-Hulud npm supply chain attack (CISA advisory 2025-09-23) and October 2025 PhantomRaven campaign targeted broad npm ecosystems — no specific gmx-synthetics dependency confirmed compromised. data cache: package_json_present: true, oz_contracts_version: 4.9.3. OpenZeppelin 4.9.3 has no critical unpatched advisory per public GHSA search. Requires ongoing GHSA feed monitoring. RD-F-161 n/a Protocol-impersonator domain registered (typosquat) F161 definition: typosquat of official domain registered within last 90 days. gmx.io official domain: registered 2015-05-01 (Cloudflare, expiry 2028-07-31). Assessment date 2026-05-05. 90-day window: any candidate typosquat registered after 2026-02-04. The official domain is confirmed legitimate and long-established (11 years). However, scanning candidate typosquat domains (e.g., gmxprotocol.io, gmxio.xyz, gmxexchange.io, etc.) requires a domain monitoring / WHOIS bulk scan tool that is not available in this assessment. No typosquat confirmed or ruled out from public search results alone. Per process-learning guidance: mark not_assessed when registrar data for candidate domains cannot be obtained — do NOT score as curator-only. RD-F-162 gray Known-exploit-template selector deployed by any address A GMX v1-specific exploit selector pattern exists in public hack DB (gmxPositionCallback reentrancy via executeDecreaseOrder, July 2025). GMX v2 architecture closes the v1 reentrancy path by updating the short average price in the same contract as order execution. No contract deploying a GMX v2-specific exploit template documented in public data. V1 template bytecode is in public post-mortems but not applicable to v2. Signal requires on-chain deploy scanning for GMX v2-applicable patterns. Gray — v1 template documented but not applicable; v2-specific template not in public exploit DB. RD-F-163 gray Avg attacker reconnaissance time for peer-class protocols Peer perps DEX reconnaissance timing: Sept 2022 AVAX manipulation (v1, opportunistic, minimal pre-strike period); July 2025 v1 exploit (2-day timeline from Tornado Cash funding to exploit — compressed); Hyperliquid DPRK Dec 2024 (extended multi-month trading reconnaissance). No specific GMX v2-targeted reconnaissance activity documented in public sources. Class estimate for perps DEX: 2 days to 78 days range. Gray — metric indicator, no anomaly to report. RD-F-164 gray Leaked credential on paste/sentry site No credential dump or paste site entry referencing GMX infrastructure endpoints, API keys, or deployment keys documented in public search at assessment date. Signal requires paste-site / Sentry monitoring feed. Not assessable from public data. Gray. RD-F-165 gray Protocol social channel has scam-coordinator flag No documented scam-coordinator flagging of GMX Discord/Telegram admins in public sources. Profile §9 notes Discord not confirmed from public search. Signal requires curator social watchlist. Not assessable from public data. Gray.

RD-F-158 green Known-threat-actor cluster has touched protocol No confirmed DPRK/Lazarus cluster interaction with GMX v2 core contracts (ExchangeRouter, DataStore, OrderVault) documented in public sources at assessment date 2026-05-05. The July 2025 v1 exploit attacker is not publicly attributed to DPRK/Lazarus — they accepted a $5M white-hat bounty and returned the remaining funds. No Hyperliquid-equivalent DPRK reconnaissance episode documented for GMX v2. North Korean Lazarus Group 2025-2026 attacks targeted Bybit ($1.5B), Bitrefill, and broader crypto firms but GMX v2 not specifically named. Threshold: address from curator-maintained threat-actor cluster interacted with protocol core contracts within 30 days.

Tooling / compiler / AI Green 8 5 of 5

RD-F-170 yellow Solc version used (known-bug versions flagged) Hardhat config specifies Solidity 0.8.29, released 2025-03-12. The known LostStorageArrayWriteOnSlotOverflow bug was introduced in 0.1.0 and fixed in 0.8.32 - meaning 0.8.29 carries this unfixed bug. Severity is officially rated low (affects storage array operations straddling 2^256-slot boundary - extremely unlikely in practice). Not red because practical exploitability is negligible; yellow because 0.8.29 technically carries an unfixed known compiler bug per the Solidity bug list. RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation GMX v2 is an original implementation with no upstream. Bytecode similarity to audited-upstream with behavior deviation (AI-copy risk) is not applicable to original protocols.

RD-F-172 green Repo shows AI-tool co-authorship in critical files GitHub search for 'co-authored-by copilot' in gmx-io/gmx-synthetics commits returned 0 results. Recent commits (a5865d1, 13d03b0, 9e4cc1e, 10cfbce) authored by gmxer and xdev10 without any AI tool disclosure markers. No AI co-authorship found.

RD-F-173 green Team self-disclosure of AI-generated Solidity No public blog post, tweet, forum post, or documentation from the GMX team discloses AI-generated Solidity in security-critical paths. Substack, gov.gmx.io, x.com/GMX_IO reviewed; no AI-tool disclosure found.

RD-F-174 green Dependency tree uses EOL Solidity version Solidity 0.8.29 is actively supported (latest stable is 0.8.34 as of assessment date). Not on any EOL list. Vyper not detected (data cache: vyper_detected: false). forge-std submodule is dev-only and does not affect deployed bytecode. No EOL dependency in the deployed stack.

Response & disclosure hygiene Green 11 4 of 4

RD-F-176 yellow Disclosure SLA public No formal acknowledgment-time SLA published (e.g., 'will acknowledge within 72 hours'). Immunefi program page reports 9h median resolution time which is a de-facto strong SLA, but the methodology requires a formally stated commitment for green. No standalone disclosure policy on docs.gmx.io with explicit SLA language found. Score = yellow. RD-F-175 n/a Disclosure channel exists Immunefi bug bounty program is active at https://immunefi.com/bug-bounty/gmx/ with $5M max payout for critical smart contract vulnerabilities, 250 in-scope assets across Arbitrum and Avalanche. Program active since 2021-10-20; $2.6M paid across 22 reports confirms active monitoring and payout history. Immunefi median resolution time of 9 hours. Score = green.

RD-F-177 green Prior known-ignored disclosure No evidence found that a disclosed vulnerability was reported to GMX and ignored before exploitation. The July 2025 v1 reentrancy was introduced by an unintended side-effect of a 2022 security patch (confirmed by PeckShield analysis) — not a case of a known-but-ignored disclosure. The 2022 Collider VC bug ($0 loss, bounty paid) demonstrates the team acted promptly on a reported vulnerability. Abracadabra March 2025 was Abracadabra's own bug. No post-mortem or third-party report documents a 'reported to GMX and ignored' pattern. Score = green.

RD-F-178 green CVE/GHSA advisory issued against protocol No CVE or GHSA advisory found against GMX v2 (gmx-io/gmx-synthetics repository). GitHub Security Advisories searched for 'gmx-io' and 'gmx-synthetics' — no results. No NVD/CVE entry found for GMX. The Dedaub 2022 pre-launch audit finding (critical reentrancy in cancelOrder) was a pre-launch audit finding addressed before mainnet deployment, not a public CVE. Score = green.

rubric_version v1.7.0 graded_at 2026-05-12 04:38:07 factors 184 protocol gmx-v2