Oracle price deviation >X% from secondary
GMX v2 (GMX Synthetics)'s assessment for RD-F-099 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
GMX v2 uses Chainlink Data Streams (pull-based, DON-signed). Oracle prices delivered by whitelisted ORACLE_SIGNER addresses in RoleStore (0x3c3d99FD298f679DBC2CEcd132b4eC4d0F5e6e72 on Arbitrum). ORACLE_SIGNER addresses not publicly enumerated in docs.gmx.io — centralization surface. 19 Chainlink push-feed addresses in data cache serve as reference/fallback. No confirmed >1% sustained oracle deviation at assessment date. Yellow structural risk: GMX docs explicitly note no automated L2 sequencer liveness check — keepers must manually pause on Arbitrum sequencer outage, creating a window where stale prices could be accepted. Signal not in production scope (phase-2). Threshold: |primary-secondary|/primary > 1% sustained >=4 blocks.
Sources #
- URLhttps://chaoslabs.xyz/posts/role-of-oracle-security-in-defi-derivatives-with-gmx-and-chainlinkretrieved 2026-05-05
- https://gov.gmx.io/t/gmx-v2-new-low-latency-chainlink-feeds/2050retrieved 2026-05-05
- https://docs.gmx.io/docs/api/contracts/known-issues/retrieved 2026-05-05
Methodology #
Detect whether the primary oracle's reported price deviates >X% from the best available secondary source (another feed or venue).
See the full factor methodology and distribution across all protocols →