Deployed bytecode matches signed release tag

GMX v2 (GMX Synthetics)'s assessment for RD-F-136 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Two GitHub releases visible: V2.1 (commit ca7d92b) and V2.2 (commit ee721b7). Deployment JSON files in repo link contract addresses to source. However, releases are not GPG-signed; 'signed release-tag' in strict sense unverifiable. No independent bytecode reproducibility check performed.

Sources #

GitHub
Arbitrum deployment JSON filesDeployment JSONs in deployments/arbitrum/ link addresses to contract names and commit contextretrieved 2026-05-05
GitHub
GMX synthetics releasesGitHub releases: V2.1 commit ca7d92b, V2.2 commit ee721b7retrieved 2026-05-05

Methodology #

Determine whether the deployed runtime bytecode corresponds to a signed git tag in the protocol's repository.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol gmx-v2 factor RD-F-136 score yellow collected_at 2026-05-05 11:15:06