MAINNETBETA

gmx.io

gmx.io
5.9MODERATEhigh
6 sectionsrun #1
Findings3 critical14 high13 medium
DEPGOVTKNAUDCTR
Last analyzed 16d ago runs

Summary

GMX V2 Synthetics is a decentralized perpetuals exchange with ~$161M TVL concentrated on Arbitrum ($151M) and Avalanche ($8.9M), using isolated GM pools, keeper-mediated execution, and Chainlink-based oracles. V2 has operated without a confirmed exploit since August 2023, backed by an unusually deep Guardian audit retainer (30+ engagements) and a $5M Immunefi bounty. However, 46% of sampled deployed contracts are unverified—including 100% of Botanix and MegaETH deployments and the primary Chainlink Data Streams provider—source chains grant ROLE_ADMIN to EOAs bypassing DAO timelocks, settlement chains expose CONFIG_KEEPER and TIMELOCK_ADMIN to multiple single-key holders, and oracle/bridge dependencies lack on-chain failover. The July 2025 V1 reentrancy exploit (~$42M, largely recovered) did not affect V2 but raises patch-discipline concerns for the shared contributor set. Overall risk is moderate at 5.9/10, driven by verification gaps, cross-chain governance asymmetry, and dependency concentration rather than settlement-chain exploit history.

Trust Assumptions

Users and LPs must trust that Chainlink price feeds and unverified Data Streams providers deliver accurate, timely prices with no automatic failover if either fails or is manipulated; that permissioned ORDER_KEEPER and Gelato relay infrastructure remains live and uncompromised; that the 5-of-8 Gnosis Safe (0x8D1d2e24eC641eDC6a1ebe0F3aE7af0EBC573e0D) and 24-hour timelocks on Arbitrum/Avalanche will not execute malicious upgrades; that six CONFIG_KEEPER EOAs and two TIMELOCK_ADMIN EOAs on settlement chains will not be compromised to manipulate price-impact parameters or timelock operations; that LayerZero+Stargate cross-chain messaging and peer whitelists are correctly configured; that Botanix and MegaETH EOA ROLE_ADMIN holders (two per chain) will not reconfigure bridge routers or grant themselves CONTROLLER privileges; and that live bytecode on all chains matches audited gmx-synthetics commits despite 25 unverified deployments blocking independent confirmation.

What Could Go Wrong

A compromised CONFIG_KEEPER EOA could set extreme price-impact parameters to extract value from traders and LPs across ~$161M settlement TVL, or a compromised Botanix/MegaETH ROLE_ADMIN EOA could immediately grant bridge CONTROLLER roles and accept fraudulent LayerZero messages—potentially double-minting deposits (a risk explicitly documented in LayerZeroProvider comments with frontend-only mitigation). Chainlink oracle failure or manipulation on a low-liquidity market could trigger incorrect liquidations or bad fills with no on-chain provider failover, echoing the 2022 V1 AVAX manipulation (~$565K). Cross-chain V2.2 infrastructure carries residual risk from Guardian's Low Confidence 2/5 rating (Jul 2025) without a confirmed follow-up audit at production commit, and nascent MegaETH (~2.5 months) and Botanix (~11 months) deployments have not been adversarially tested. Separately, GMX token holders face suspended staking rewards until $90 with reported single-holder governance concentration and ~17% unminted esGMX vesting headroom creating sell-pressure risk unrelated to perps contract safety.

Recommendation

Treat Arbitrum and Avalanche settlement-chain perps and GM/GLV LP positions as acceptable for moderate allocation given V2's clean ~2.8-year exploit record, reentrancy hardening, and strong audit posture—but size positions cognizant of oracle single-point-of-failure, keeper liveness, and EOA privileged roles. Avoid or strictly limit exposure via Botanix and MegaETH until contracts are verified on-chain and ROLE_ADMIN is migrated to multisig-plus-timelock governance matching settlement chains. Monitor: (1) block-explorer verification status for ChainlinkDataStreamProvider and Avalanche DataStore, (2) RoleStore changes to CONFIG_KEEPER, TIMELOCK_ADMIN, and source-chain ROLE_ADMIN, (3) Chainlink feed staleness and sequencer uptime on Arbitrum, (4) cross-chain router upgrades and Guardian follow-up audit publication, and (5) any V1/V2 shared infrastructure changes post-July 2025. Reduce exposure if unverified contract count rises, source-chain EOAs rotate, or a V2 incident occurs; the $5M Immunefi bounty and Guardian retainer are meaningful offsets but do not substitute for bytecode verification on live deployments.

Key Findings (30)

critical
25 Unverified Contracts — Source Audit Impossibleverification
critical
Single Oracle Provider Per Token — No On-Chain Fallbackoracle
critical
July 2025 V1 Reentrancy Exploit (~$42M)incident
high
TIMELOCK_ADMIN Role Held by EOAsaccess-control
high
CONFIG_KEEPER Role Held by Multiple EOAsaccess-control
high
Avalanche DataStore Unverified on Settlement Chainverification
high
Source Chains Lack On-Chain DAO Governancecross-chain
high
Botanix ROLE_ADMIN Held by EOAs, Not Multisigcentralization
high
MegaETH ROLE_ADMIN Held by EOAscentralization
high
Staking Rewards Suspended Until $90 Price Thresholdincentives
high
ChainlinkDataStreamProvider Unverified on Settlement Chainsoracle
high
LayerZero + Stargate Cross-Chain Stackbridge
high
Documented Double-Deposit Risk on Cross-Chain Bridge-Inbridge
high
25 Unverified Contracts — Entire Source-Chain Deployments Opaqueunverified
high
25 Unverified Deployed Contracts Break Audit-to-Bytecode Mappingaudit-gap
high
Botanix and MegaETH Deployments Fully Unverifiedaudit-gap
high
September 2022 V1 AVAX Oracle Manipulation (~$565K)incident
medium
Non-Proxy Redeploy Upgrade Modelupgradability
medium
Governance Multisig Differs from Documented 2-of-3governance
medium
Oracle setPrimaryPrice Callable by CONTROLLER Roleoracle
medium
No Global Pause — Feature-Flag Disable Onlyemergency
medium
Cross-Chain Routers Use RoleModule — LayerZero setPeer in Dependency Layerbridge
medium
Multisig Threshold Mismatch vs Public Claimsdocumentation
medium
24-Hour Timelock on All Active Execution Pathstimelock
medium
Broad CONTROLLER Role Across 34–40 Contracts Per Chainoperational
medium
TIMELOCK_ADMIN Held by Four Individual EOAscentralization
medium
25 Unverified Contracts Elevate Governance/Ops Opacityverification
medium
Dual Timelock Architecture With Legacy Address Confusionarchitecture
medium
Avalanche Missing ConfigTimelockControllercross-chain
medium
Remaining Supply Headroom (~17%) via esGMX Vestingemission

Analysis Sections

GMX V2 settlement chains (Arbitrum, Avalanche) deploy a real OpenZeppelin ProtocolGovernor with 24-hour timelocks and a 5-of-8 Gnosis Safe execution multisig, but discovery/docs overstate decentralization (claimed 2-of-3 multisig). Source chains Botanix and MegaETH lack on-chain governors and grant ROLE_ADMIN to EOAs. Twenty-five contracts in scope are unverified, including all Botanix/MegaETH deployments and legacy timelock addresses.

Findings (13)

highSource Chains Lack On-Chain DAO Governance

Botanix and MegaETH deployments have no ProtocolGovernor, ConfigTimelockController, or token-governed timelock. Cross-chain routing (LayerZero multichain routers) and core handlers on these chains are controlled exclusively via RoleStore roles, bypassing the Arbitrum/Avalanche DAO path that docs describe as community-governed.

discovery.jsonbotanix and megaeth contract lists omit ProtocolGovernor, Timelock, and ConfigTimelockController
on-chain RPCBotanix RoleStore 0x51Aa17ca59E9e9C3cEc3c3c05c2B35f473b35D39: ROLE_ADMIN count=2 (EOAs); MegaETH RoleStore 0xecA46636BDDbb4F451ca2B7062C7E36744934655: ROLE_ADMIN count=2 (EOAs)
highBotanix ROLE_ADMIN Held by EOAs, Not Multisig

On Botanix, the two ROLE_ADMIN holders (0x3d6BA4a91Ffde7C519379F8dCA5FE58b7125c294 and 0x72A30e76827Ce83CeF0b1bEd7e9aaF9F4A576990) are externally owned accounts, not Gnosis Safes. ROLE_ADMIN can grant or revoke every protocol role in RoleStore, including CONTROLLER and CONFIG_KEEPER, enabling immediate privilege escalation without timelock or token vote.

on-chain RPCBotanix ROLE_ADMIN members: 0x3d6BA4a91Ffde7C519379F8dCA5FE58b7125c294, 0x72A30e76827Ce83CeF0b1bEd7e9aaF9F4A576990 — getThreshold()/getOwners() revert (not Gnosis Safe)
contract sourceRoleStore.grantRole/revokeRole gated by onlyRoleAdmin; constructor grants ROLE_ADMIN to deployer
highMegaETH ROLE_ADMIN Held by EOAs

MegaETH mirrors Botanix: two EOA addresses (0x9d5f3fac443748c28FB5dc964D74F8419F686F6D, 0xbF96f66932C1D826C172a80be7c062Ab6B26a4CC) hold ROLE_ADMIN with no multisig or timelock wrapper. With ~$760K TVL on MegaETH and cross-chain message paths, compromised keys could reconfigure bridge routers and handlers.

on-chain RPCMegaETH ROLE_ADMIN members are EOAs; getThreshold() reverts on both addresses
mediumMultisig Threshold Mismatch vs Public Claims

Discovery reports a 2-of-3 Gnosis Safe executing Snapshot votes. On-chain verification of TIMELOCK_MULTISIG holder 0x8D1d2e24eC641eDC6a1ebe0F3aE7af0EBC573e0D shows a 5-of-8 Safe on both Arbitrum and Avalanche (8 owners, threshold 5). Botanix additionally uses a separate 5-of-8 Safe (0x656fa39BdB5984b477FA6aB443195D72D1Accc1c) with a partially overlapping but distinct signer set.

discovery.jsonexecutionMultisig: 2-of-3 Gnosis Safe (community-reported)
on-chain RPC0x8D1d2e24eC641eDC6a1ebe0F3aE7af0EBC573e0D: getThreshold()=5, getOwners()=8 addresses; Botanix 0x656fa39BdB5984b477FA6aB443195D72D1Accc1c: 5-of-8 with different owner set
medium24-Hour Timelock on All Active Execution Paths

Both the governor timelock (Arbitrum 0x4bd1cdAab4254fC43ef6424653cA2375b4C94C0E, Avalanche 0xC55e165Bf9247256DBeCA8DDE892aE9a7B271b2D) and ConfigTimelockController (Arbitrum 0xC77E6C0ca99E02660A23c00A860Dd5a8912DEaF5) enforce getMinDelay()=86400 seconds (24 hours). For a ~$161M TVL derivatives protocol, this is a relatively short delay window for malicious or erroneous upgrades.

on-chain RPCArbitrum governor timelock getMinDelay()=86400; ConfigTimelockController getMinDelay()=86400; Avalanche governor timelock getMinDelay()=86400
contract sourceConfigTimelockController extends OpenZeppelin TimelockController with minDelay constructor parameter
mediumBroad CONTROLLER Role Across 34–40 Contracts Per Chain

RoleStore grants CONTROLLER to 40 addresses on Arbitrum, 38 on Avalanche, 34 on Botanix, and 34 on MegaETH. CONTROLLER can mutate DataStore state (setUint, setAddress, setBool, etc.) per contract source. Handler and router upgrades rely on adding new CONTROLLER members rather than immutable logic, creating a large attack surface if any controller contract is compromised.

on-chain RPCArbitrum CONTROLLER count=40; Avalanche=38; Botanix=34; MegaETH=34
contract sourceDataStore functions gated by onlyController modifier for all key-value mutations
mediumTIMELOCK_ADMIN Held by Four Individual EOAs

TIMELOCK_ADMIN role is assigned to four EOAs (0x8D1d2e24eC641eDC6a1ebe0F3aE7af0EBC573e0D, 0x35EA3066f90dB13e737Bbd41f1eD7B4BfF8323B3, 0xe014CBd60A793901546178E1c16AD9132c927483, 0x58F582455B54D7c83d03BceED95FAF72b37fddd7) on both Arbitrum and Avalanche. Only the first is the 5-of-8 Safe; the other three are single-key EOAs with timelock administration privileges per RoleModule.onlyTimelockAdmin.

on-chain RPCTIMELOCK_ADMIN count=4 on Arbitrum and Avalanche RoleStore; 3 of 4 addresses are not Gnosis Safes
contract sourceRole.TIMELOCK_ADMIN defined; onlyTimelockAdmin modifier in RoleModule
medium25 Unverified Contracts Elevate Governance/Ops Opacity

Per VERIFICATION_STATUS.md, 25 of 54 scoped contracts lack verified source locally: all 9 Botanix, all 8 MegaETH, Arbitrum legacy Timelock (0x7A967D114B8676874FA2cFC1C14F3095C88418Eb), deployer EOA, ChainlinkDataStreamProvider, and several Avalanche core contracts (DataStore, Oracle, MultichainVault, ProtocolGovernor, Timelock). Unverified bytecode cannot be statically audited and may diverge from the gmx-synthetics repo.

VERIFICATION_STATUS.mdTotal: 54 contracts; Verified: 29; Unverified: 25
contract sourceArbitrum Timelock 0x7A967... local file: source NOT VERIFIED
mediumDual Timelock Architecture With Legacy Address Confusion

ProtocolGovernor.timelock() on Arbitrum points to 0x4bd1cdAab4254fC43ef6424653cA2375b4C94C0E (OZ TimelockController, 24h, governor is proposer+executor), not the discovery-listed Timelock 0x7A967D114B8676874FA2cFC1C14F3095C88418Eb. The listed address is a legacy custom Timelock contract (Etherscan name: Timelock) that does not expose getMinDelay(). Operational config changes route through ConfigTimelockController where the 5-of-8 Safe is PROPOSER_ROLE.

on-chain RPCProtocolGovernor.timelock()=0x4bd1cdAab4254fC43ef6424653cA2375b4C94C0E; listed 0x7A967... getMinDelay() reverts; ConfigTimelock multisig is PROPOSER_ROLE
Etherscan API0x7A967D114B8676874FA2cFC1C14F3095C88418Eb ContractName=Timelock (verified on explorer, unverified in pipeline)
mediumAvalanche Missing ConfigTimelockController

Arbitrum deploys ConfigTimelockController (0xC77E6C0ca99E02660A23c00A860Dd5a8912DEaF5) as ROLE_ADMIN and multisig-gated config executor. Avalanche has no equivalent contract in discovery or RoleStore ROLE_ADMIN set (only 0x20D56cf90fD3C8f3bEb9BAC03AfdA3241093DE36 timelock and 0x37E1aeb6118B0106810d2Ef7662875c414E39CA4 TimelockConfig). Cross-chain governance parity between settlement chains is incomplete.

discovery.jsonConfigTimelockController listed only for arbitrum; avalanche contracts omit it
on-chain RPCAvalanche ROLE_ADMIN: 0x20D56cf (timelock 24h), 0x37E1ae (TimelockConfig bytecode 19478 bytes)
lowOn-Chain Governor Active but Snapshot-First Workflow

ProtocolGovernor on Arbitrum shows 20 ProposalCreated events with the most recent in March 2026. Parameters verified on-chain: votingDelay=1 day, votingPeriod=5 days, proposalThreshold=30,000 GMX (GovToken 0x2A29D3a792000750807cc401806d6fd539928481), quorum=3%. Primary documented workflow remains Snapshot (gmx.eth) signaling followed by multisig execution via ConfigTimelock, making the on-chain governor a parallel rather than sole authority.

on-chain RPCvotingDelay=86400, votingPeriod=432000, proposalThreshold=30000000000000000000000, quorumNumerator=3
Etherscan API20 ProposalCreated events on Arbitrum ProtocolGovernor 0x03e8f708e9c85edceaa6ad7cd06824ceb82a7e68
discovery.jsongovernanceType: dao-multisig; snapshot: gmx.eth
infoCore DataStore and RoleStore Are Immutable Role-Gated Contracts

DataStore and RoleStore have no owner() or upgrade proxy; access control is exclusively via RoleStore roles (ROLE_ADMIN, CONTROLLER, CONFIG_KEEPER, TIMELOCK_MULTISIG, etc.). ROLE_ADMIN on Arbitrum is held by timelock contracts (governor timelock, ConfigTimelockController, TimelockConfig 0x4A1D9e342e2Db5F4a02C9eF5Cb29cAF289F31599), aligning with stated immutability for core state storage.

contract sourceRoleStore constructor grants ROLE_ADMIN to deployer; grantRole/revokeRole onlyRoleAdmin; no upgrade pattern in DataStore
on-chain RPCArbitrum ROLE_ADMIN members: governor timelock 0x4bd1cd, ConfigTimelock 0xc77e6c, TimelockConfig 0x4A1D9e
infoV2 Deployer EOA Retains No Protocol Roles

The unverified deployer EOA 0xe7bfff2ab721264887230037940490351700a068 holds ~2 ETH on Arbitrum but has no RoleStore roles (ROLE_ADMIN, CONTROLLER, CONFIG_KEEPER, TIMELOCK_MULTISIG all false). Residual risk is limited to future transactions from this key, not current privileged access.

on-chain RPCDeployer hasRole() false for all checked roles; balance ~2.01 ETH

Governance Checklist

On-chain token governor (ProtocolGovernor)Arbitrum + Avalanche; 3% quorum, 30k GMX threshold, 24h timelock
Multisig (not EOA) for execution5-of-8 Gnosis Safe 0x8D1d2e24eC641eDC6a1ebe0F3aE7af0EBC573e0D (not 2-of-3 as documented)
Timelock on upgrades24h on governor timelock and ConfigTimelockController
Consistent governance across all chainsBotanix/MegaETH lack governor; ROLE_ADMIN on EOAs
Verified source for all privileged contracts25/54 scoped contracts unverified in pipeline
DAO claims match on-chain realitySnapshot+multisig primary path; multisig threshold misdocumented

On-Chain Governance Parameters

Voting delay
1days
Voting period
5days
Proposal threshold
30000GMX
Quorum
3%
Timelock delay
24hours
Execution multisig
5-of-8
On-chain proposals (Arbitrum)
20

ROLE_ADMIN Control by Chain

ChainROLE_ADMIN holdersController typeRisk
ArbitrumGovernor timelock, ConfigTimelock, TimelockConfigTimelock contractsLow
AvalancheGovernor timelock, TimelockConfigTimelock contractsLow–Medium
Botanix2 EOAsSingle-key accountsHigh
MegaETH2 EOAsSingle-key accountsHigh

Verified Execution Multisigs

multisigarbitrumGMX Timelock Multisig (primary)
multisigbotanixBotanix Timelock Multisig
governorarbitrumProtocolGovernor
timelockarbitrumConfigTimelockController

Unverified Contracts (Governance/Ops Relevance)

ChainAddressNameGovernance relevance
arbitrum0x7A967D114B8676874FA2cFC1C14F3095C88418EbLegacy TimelockListed governance contract; non-OZ interface
arbitrum0xe7bfff2ab721264887230037940490351700a068V2 Deployer EOADeployment key; no current roles
arbitrum0xE1d5a068c5b75E0c7Ea1A9Fe8EA056f9356C6fFDChainlinkDataStreamProviderOracle provider; parameter trust
avalanche0x2F0b22339414ADeD7D5F06f9D604c7fF5b2fe3f6DataStoreCore state; cannot audit locally
avalanche0xE1d5a068c5b75E0c7Ea1A9Fe8EA056f9356C6fFDOraclePrice feed admin path opaque
avalanche0x6D5F3c723002847B009D07Fe8e17d6958F153E4eMultichainVaultCross-chain custody
avalanche0x226ED647C6eA2C0cE4C08578e2F37b8c2F922849ProtocolGovernorOn-chain DAO controller
avalanche0xdF23692341538340db0ff04C65017F51b69a29f6TimelockListed governance contract
botanix0xA23B81a89Ab9D7D89fF8fc1b5d8508fB75Cc094dDataStoreCore state on source chain
botanix0x51Aa17ca59E9e9C3cEc3c3c05c2B35f473b35D39RoleStoreAll roles including EOA ROLE_ADMIN
megaeth0xE43C7B694f6b652a9F4A0f275C008d18758Dce35DataStoreCore state on source chain
megaeth0xecA46636BDDbb4F451ca2B7062C7E36744934655RoleStoreEOA-controlled ROLE_ADMIN
Loading dependency graph…

Analysis History

#1completed5.916d agocurrent