★ Oracle source = spot DEX pool (no TWAP)
GMX v2 (GMX Synthetics)'s assessment for RD-F-053 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
[★ CRITICAL] Primary oracle is Chainlink Data Streams (pull-based, DON-signed). No spot DEX pool reads. GmOracleProvider uses ECDSA multi-signer verification on off-chain signed (minPrice, maxPrice) pairs. ChainlinkPriceFeedProvider uses AggregatorV3Interface.latestRoundData() — a push-oracle, not a DEX spot pool. No slot0(), getReserves(), observe() or TWAP-consult pattern found in any oracle path.
Detail #
GmOracleProvider.sol source inspection: price delivery via signed report with salt, block numbers, oracle timestamp, token, minPrice, maxPrice — verified via ECDSA.recover() (OZ implementation). No Uniswap/Curve/Balancer pool reads. ChainlinkPriceFeedProvider.sol uses latestRoundData() from AggregatorV3Interface — standard push oracle. Data cache oracle_feeds[] contains 19 Chainlink AggregatorV3 feeds (no DEX pools). Template: green = all oracles use push-oracle (Chainlink Data Streams is a pull implementation of DON-signed prices, functionally equivalent to a high-frequency push oracle).
Sources #
- GitHubChainlinkPriceFeedProvider.solChainlinkPriceFeedProvider.sol — latestRoundData() push feedretrieved 2026-05-05
- GmOracleProvider.solGmOracleProvider.sol — DON-signed price delivery, no DEX pool readsretrieved 2026-05-05
Methodology #
Determine whether the primary oracle for any asset/market reads spot price from a single DEX pool without a TWAP window or secondary source.
See the full factor methodology and distribution across all protocols →