GMX V2
DAMASCUSPerps DEX · Arbitrum + Avalanche · $500M+ TVL · 20 contracts
Confidence 64%Z-Factor 0.75Updated 2026-05-17Public Score
Public risk assessment — scores are produced with the same methodology as monitored protocols
784
BRI Score
3004756508251000
Security Profile
Access Control
75
75
Economic Soundness
72
72
Oracle Integrity
78
78
Compositional Risk
70
70
Governance
55
55
Maturity
75
75
Resilience
60
60
Supply Chain
82
82
Op Security
53
53
Cascade Exposure
87
87
Access Ctrl
75
75
Economic
72
72
Oracle
78
78
Compos.
70
70
Govern.
55
55
Maturity
75
75
Resilience
60
60
Supply Ch.
82
82
OpSec
53
53
Cascade
87
87
Min
53
Avg
71
Max
87
Audit History
Sherlock Competition
2023-03
Guardian Audits
2023-07
Cyfrin
2024-01
Bug Bounty Program
$500,000
Max payout on Immunefi
Assessment
Mature perps protocol with V2 design improvements from V1 lessons. Oracle hardening from V1 exploit is a strength. Governance centralization (D5=55) and perps economic complexity (D2=72) are main drags.
Dimension Breakdown
How scores work →Access Control
Weight 18%78% conf
75
arrow_forwardGood
+19Complex order/position lifecycle with keeper execution
+19Role-based access: controller, order keeper, liquidation keeper
+19Config store with wide admin surface for market parameters
+19Reentrancy protection on core paths
receipt_longView provenance chainarrow_forward
Economic Soundness
Weight 13%74% conf
72
arrow_forwardGood
-28GM pool model isolates risk per market (improvement over V1 GLP)
+24Funding rates, borrowing fees, price impact model
+24PnL settlement from pool reserves: large winning trades can stress pool
+24Open interest caps provide some protection
receipt_longView provenance chainarrow_forward
Oracle Integrity
Weight 13%80% conf
78
arrow_forwardGood
+20Chainlink Data Streams (low-latency, signed reports)
+20Custom oracle module with validation and staleness checks
+20V1 AVAX oracle manipulation led to significant hardening in V2
+20Two-step execution (order creation + keeper execution) limits frontrunning
receipt_longView provenance chainarrow_forward
Battle-Tested Maturity
Weight 12%78% conf
75
arrow_forwardGood
+15V2 live since Aug 2023 (~2 years)
+15V1 since Sep 2021 (org maturity 4+ years)
+15V1 AVAX oracle manipulation incident (2022) handled and led to V2 hardening
+15Audited by ABDK, Guardian, Sherlock contest
receipt_longView provenance chainarrow_forward
Governance & Upgradeability
Weight 10%78% conf
55
arrow_forwardModerate
-45Team multisig with no formal timelock on config changes
+18GMX token governance is limited
+18Market parameter changes can be immediate
+18Some decentralization via Arbitrum governance
receipt_longView provenance chainarrow_forward
Adversarial Resiliencelock
Weight 10%95% conf
60
Moderate
- Score derived from continuous adversarial security research
Operational Security
Weight 10%60% conf
53
arrow_forwardConcerning
-8No branch protection detected
-8CI/CD present but unstable (60% success)
+26Commit signing: 60% verified
-8Weak PR review coverage (27%)
receipt_longView provenance chainarrow_forward
Compositional Risk
Weight 5%74% conf
70
arrow_forwardGood
+18Arbitrum-native, limited cross-chain exposure
+18GM pools integrate as yield sources in other protocols
+18Chainlink dependency is critical path
+18Keeper infrastructure centralization
receipt_longView provenance chainarrow_forward
Cascade Exposure
Weight 5%60% conf
87
arrow_forwardStrong
+22Appears in 2 cross-protocol cascade chain(s)
+22Failure cascades to 2 downstream protocol(s)
+22Member of 4 dependency cluster(s)
-13Score: 87/100 (higher = more isolated from systemic risk)
receipt_longView provenance chainarrow_forward
Supply Chain
Weight 4%80% conf
82
arrow_forwardStrong
+20Standard libraries with custom oracle integration layer
+20Reasonable dependency chain
+20Modern Solidity versions
+20Non-upgradeable core (markets are deployed fresh)
receipt_longView provenance chainarrow_forward
Risk Drivers
Primary risk factors driving this score, ordered by severity.
Operational Security53
Governance & Upgradeability55
Adversarial Resilience60
Adversarial Risk Signals
Observable security posture indicators. These signals reflect publicly verifiable information and responsible disclosure outcomes. No specific vulnerability details are exposed.
Disclosure HistoryNot Assessed
Remediation VelocityNot Assessed
Bug Bounty ProgramNot Assessed
Audit CoverageNot Assessed
Incident HistoryNot Assessed
Score History & Verification
Score provenance tracking begins with the next reassessment.
On-Chain Data
- Protocol Slug
- "gmx-v2"
- Oracle
- BRORegistry (Base)
- Evidence
- IPFS (pinned)
- Staleness Threshold
- 24 hours
Read Score
registry.getScore("gmx-v2")Reduce exploitable risk
BlackHart Monitoring provides continuous adversarial analysis, vulnerability detection, remediation support, and verified reassessment when your risk posture improves.