★ Sudden admin-rescue/ACL change without discussion

GMX v2 (GMX Synthetics)'s assessment for RD-F-123 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Three independent timelocks (86400s each: Timelock, GovTimelockController, ConfigTimelockController) provide structural pre-execution observation window for governance and config changes. Tally governance has 2+ executed proposals with public discussion preceding execution. Security Committee Season 4 has forum-posted mandate (gov.gmx.io/t/gmx-security-committee-season-4/5051). No specific admin-rescue or unannounced ACL change event found in last 180 days from accessible public sources. However: (a) 6 of 8 Safe signer identities are unknown — signer rotation events could occur without public discussion; (b) RoleStore ACL enumeration not completed (deferred to governance-admin-analyst); cannot confirm all recent role grants were preceded by governance discussion. Scored yellow, not red: timelocks provide mitigation but opacity of signer set prevents green clearance.

Sources #

Docs
00-profile.md §6 — Timelock/GovTimelockController/ConfigTimelockController all 86400s; MAX_TIMELOCK_DELAY 5 days on operational Timelockretrieved 2026-05-05
URL
https://www.tally.xyz/gov/gmxretrieved 2026-05-05
GitHub
https://github.com/gmx-io/gmx-synthetics/issuesretrieved 2026-05-05
Governance
https://gov.gmx.io/t/gmx-security-committee-season-4/5051retrieved 2026-05-05

Methodology #

Determine whether any admin-rescue function or ACL change was committed to the repo or executed on-chain without corresponding public discussion in issues, PRs, or governance forum.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol gmx-v2 factor RD-F-123 score yellow collected_at 2026-05-05 11:15:06