Scores/GMX V2

GMX V2

DAMASCUS

Perps DEX · Arbitrum + Avalanche · $500M+ TVL · 20 contracts

Official site: gmx.io ↗

784

3004756508251000

Confidence64%

Z-Factor0.75

Updated 2026-05-27Public score

Security Profile

Access Control
75

Economic Soundness
72

Oracle Integrity
78

Compositional Risk
70

Governance
55

Maturity
75

Resilience
60

Supply Chain
82

Op Security
53

Cascade Exposure
87

Access Ctrl
75

Economic
72

Oracle
78

Compos.
70

Govern.
55

Maturity
75

Resilience
60

Supply Ch.
82

OpSec
53

Cascade
87

Min

Avg

Max

Audit History

Sherlock Competition

2023-03

Guardian Audits

2023-07

Cyfrin

2024-01

Bug Bounty Program

$5,000,000

Max payout on Immunefi

View Program

Assessment

Mature perps protocol with V2 design improvements from V1 lessons. Oracle hardening from V1 exploit is a strength. Governance centralization (D5=55) and perps economic complexity (D2=72) are main drags.

Dimension Breakdown

Methodology

Access Control

Weight 18% · 78% confidence

+19Complex order/position lifecycle with keeper execution

+19Role-based access: controller, order keeper, liquidation keeper

+19Config store with wide admin surface for market parameters

+19Reentrancy protection on core paths

Provenance

Economic Soundness

Weight 13% · 74% confidence

+18GM pool model isolates risk per market (improvement over V1 GLP)

+18Funding rates, borrowing fees, price impact model

+18PnL settlement from pool reserves: large winning trades can stress pool

+18Open interest caps provide some protection

Provenance

Oracle Integrity

Weight 13% · 80% confidence

+20Chainlink Data Streams (low-latency, signed reports)

+20Custom oracle module with validation and staleness checks

+20V1 AVAX oracle manipulation led to significant hardening in V2

+20Two-step execution (order creation + keeper execution) limits frontrunning

Provenance

Battle-Tested Maturity

Weight 12% · 78% confidence

+15V2 live since Aug 2023 (~2 years)

+15V1 since Sep 2021 (org maturity 4+ years)

+15V1 AVAX oracle manipulation incident (2022) handled and led to V2 hardening

+15Audited by ABDK, Guardian, Sherlock contest

Provenance

Governance & Upgradeability

Weight 10% · 78% confidence

+14Team multisig with no formal timelock on config changes

+14GMX token governance is limited

+14Market parameter changes can be immediate

+14Some decentralization via Arbitrum governance

Provenance

Adversarial Resilienceredacted

Weight 10% · 95% confidence

Score derived from continuous adversarial security research

Provenance

Operational Security

Weight 10% · 60% confidence

-16No branch protection detected

-16CI/CD present but unstable (60% success)

+18Commit signing: 60% verified

-16Weak PR review coverage (27%)

Provenance

Compositional Risk

Weight 5% · 74% confidence

+18Arbitrum-native, limited cross-chain exposure

+18GM pools integrate as yield sources in other protocols

+18Chainlink dependency is critical path

+18Keeper infrastructure centralization

Provenance

Cascade Exposure

Weight 5% · 60% confidence

+29Appears in 2 cross-protocol cascade chain(s)

-13Failure cascades to 2 downstream protocol(s)

+29Member of 4 dependency cluster(s)

+29Source: cross_protocol_composition.json dependency analysis

Provenance

Supply Chain

Weight 4% · 80% confidence

+20Standard libraries with custom oracle integration layer

+20Reasonable dependency chain

+20Modern Solidity versions

+20Non-upgradeable core (markets are deployed fresh)

Provenance

Top Score Drivers

Dimensions with the greatest marginal impact on BRI.

Operational Security

53+31.7 potential

Commit signing: 60% verified

Governance & Upgradeability

55+29.8 potential

Team multisig with no formal timelock on config changes

Access Control

75+25.7 potential

Complex order/position lifecycle with keeper execution

Adversarial Resilience

60+25.4 potential

Economic Soundness

72+21.1 potential

GM pool model isolates risk per market (improvement over V1 GLP)

Adversarial Risk Signals

Publicly verifiable security posture indicators.

Disclosure HistoryNot Assessed

Remediation VelocityNot Assessed

Bug Bounty ProgramNot Assessed

Audit CoverageNot Assessed

Incident HistoryNot Assessed

Deployed 2023-08-0410 dimensionsProvenance Ledger

methodology v2.1formula v1.1weights v1.1evidence sha256:sha256:6...

Score History & Verification

Score provenance tracking begins with the next reassessment.

Full provenance ledger

On-Chain Data

Protocol Slug: "gmx-v2"
Oracle: BRORegistry (Base)
Evidence: IPFS (pinned)
Staleness Threshold: 24 hours

Read Score

registry.getScore("gmx-v2")

Reduce exploitable risk

Continuous adversarial analysis, vulnerability detection, and verified reassessment.

View Plans Methodology

Embed this score

Live, updates automatically. Free for any site. Click-through links open the full report on BlackHart.

Public

Style

Theme

Format

Preview

Copy iframe code

<iframe
  src="https://blackhart.io/embed/oracle/gmx-v2?variant=card&theme=dark"
  title="BlackHart Risk Index: GMX V2"
  width="340"
  height="290"
  frameborder="0"
  loading="lazy"
  style="border:0; max-width:100%;"
></iframe>

Believe this score contains a factual error? Submit evidence for review