If you notice some outdated information please let us know!
Process Quality Review (0.9)
GMX V2
FAIL
Scoring Appendix
The final review score is indicated as a percentage. The percentage is calculated as Achieved Points due to MAX Possible Points. For each element the answer can be either Yes/No or a percentage. For a detailed breakdown of the individual weights of each question, please consult this document.
Very simply, the review looks for the following declarations from the developer's site. With these declarations, it is reasonable to trust the smart contracts.
- Here are my smart contract on the blockchain(s)
- Here is the documentation that explains what my smart contracts do
- Here are the tests I ran to verify my smart contracts
- Here are all the security steps I took to safeguard these contracts
- Here is an explanation of the control I have to change these smart contracts
- Here is how these smart contracts get information from outside the blockchain (if applicable)
This report is for informational purposes only and does not constitute investment advice of any kind, nor does it constitute an offer to provide investment advisory or other services. Nothing in this report shall be considered a solicitation or offer to buy or sell any security, token, future, option or other financial instrument or to offer or provide any investment advice or service to any person in any jurisdiction. Nothing contained in this report constitutes investment advice or offers any opinion with respect to the suitability of any security, and the views expressed in this report should not be taken as advice to buy, sell or hold any security. The information in this report should not be relied upon for the purpose of investing. In preparing the information contained in this report, we have not taken into account the investment needs, objectives and financial circumstances of any particular investor. This information has no regard to the specific investment objectives, financial situation and particular needs of any specific recipient of this information and investments discussed may not be suitable for all investors.
Any views expressed in this report by us were prepared based upon the information available to us at the time such views were written. The views expressed within this report are limited to DeFiSafety and the author and do not reflect those of any additional or third party and are strictly based upon DeFiSafety, its authors, interpretations and evaluation of relevant data. Changed or additional information could cause such views to change. All information is subject to possible correction. Information may quickly become unreliable for various reasons, including changes in market conditions or economic circumstances.
This completed report is copyright (c) DeFiSafety 2023. Permission is given to copy in whole, retaining this copyright label.
Code and Team
67%
This section looks at the code deployed on the relevant chains and team aspects. The document explaining these questions is here.
1. Are the smart contract addresses easy to find? (%)
2. Does the protocol have a public software repository? (Y/N)
The protocol indeed has a public software repository](https://github.com/gmx-io). It can be found on the footer of the website home page. The V2 repo is here.
3. Is the team public (not anonymous)?
The team appears anonymous.
4. How responsive are the devs when we present our initial report?
0% - No dev response within 72 hours
Code Documentation
60%
This section looks at the software documentation. The document explaining these questions is here.
5. Is there a whitepaper? (Y/N)
The readme of the GitHub is sufficiently technical to be considered a white paper.
6. Is the protocol's software architecture documented? (%)
The technical description in the readme fulfills the requirements of a basic block diagram description of the software. For this reason, a score of 75% is given.
7. Does the software documentation fully cover the deployed contracts' source code? (%)
In addition to the technical description in the readme there is quite a bit of commenting in the code. This is inconsistent though. Some files have no commenting while others have quite a bit. Overall the results are quite good and a score of 75% is given.
8. Is it possible to trace the documented software to its implementation in the protocol's source code? (%)
In the technical description there is mentioned of variables used in the code. There is no link to the actual variable and as such functionally no trace ability. As mentioned in our documentation commenting does not count towards trace ability so on this aspect a score of zero is unavoidable.
9. Is the documentation organized to ensure information availability and clarity? (%)
There is clear room for improvement in finding the documentation and working your way around. However the information is decently organized and as such a score of 50% results.
Testing
62%
This section covers the testing process of the protocol’s smart contract code previous to its deployment on the mainnet. The document explaining these questions is here.
10. Has the protocol tested their deployed code? (%)
The test to Code is 26647 / 25967 euqals 102% which gives a score of 80%
11. How covered is the protocol's code? (%)
No indication of code coverage but clearly there is a complete set of tests
12. Is there a detailed report of the protocol's test results?(%)
No detailed report found.
13. Has the protocol undergone Formal Verification? (Y/N)
There is a report from Certora indicating formal verification on GM XV2.
Security
42%
This section looks at the 3rd party software audits done. It is explained in this document.
14. Is the protocol sufficiently audited? (%)
The list of audits and the auditors themselves are exactly what you would want to see. However, when you read the audits the contents are quite disturbing. Each audit mentions several, sometimes many, major or critical weaknesses. It is not clear from the audits that these are all fixed and validated. Normally this audit list would give a score of 100%. At this time, a score of 40% is given.
15. Is there a matrix of audit applicability on deployed code (%)? Please refer to the example doc for reference.
While there is mention of audits for different versions of GMX contracts, there is no specific, structured matrix that outlines the extent of deployed code covered by conducted audits. The information available is not comprehensive in detailing which segments of the deployed code have been audited. The source mentions that one should check the scopes of the audits for more information, but a clear, detailed matrix is not provided.
16. Is the bug bounty value acceptably high (%)
There is an active bounty with a maximum of $5 million on Immunefi this gives a score over 100%.
17. Is there documented protocol monitoring (%)?
No specific information on protocol monitoring could be found.
18. Is there documented protocol front-end monitoring (%)?
The provided documentation does not clearly mention any measures implemented for front-end monitoring such as DDOS Protection, DNS steps to protect the domain, Intrusion detection protection on the front end, or Unwanted front-end modification detection. While there is mention of general security precautions for interacting with blockchain applications, specific measures for front-end monitoring are not explicitly outlined. [...]
Admin Controls
54%
This section covers the documentation of special access controls for a DeFi protocol. The admin access controls are the contracts that allow updating contracts or coefficients in the protocol. Since these contracts can allow the protocol admins to "change the rules", complete disclosure of capabilities is vital for user's transparency. It is explained in this document.
19. Is the protocol code immutable or upgradeable? (%)
The code appears to be immutable.
20. Is the protocol's code upgradeability clearly explained in non technical terms? (%)
The protocol's documentation does not provide any clear explanation about the upgradeability or immutability of the code. While there is mention of mitigating risks through testing, audits, and bug bounties, there is no specific discussion regarding how upgrades are managed or how user investments are protected during such events. The documentation lacks any non-technical explanation about the protocol's admin controls and does not provide information in layman's terms about the safety measures in place for upgrades.
21. Are the admin addresses, roles and capabilities clearly explained? (%)
The provided documentation does not mention any details about admin addresses, roles, or capabilities. The focus of the documentation is on interacting with the blockchain, the risks involved, and security measures. However, there's no specific information about the administrative structure or its functionalities within the protocol.
22. Are the signers of the admin addresses clearly listed and provably distinct humans? (%)
The provided documents do not contain any information regarding the signers of the admin addresses, their roles, or their capabilities. Therefore, it is not possible to verify if they are separate, distinct individuals. The documents mainly discuss general security precautions, audit details, and instructions for interacting with the blockchain application.
23. Is there a robust documented transaction signing policy? Please refer to the Example doc for reference.(%)
No transaction poilicy evident. It is not clear if one is needed either.
Oracles
50%
This section goes over the documentation that a protocol may or may not supply about their Oracle usage. Oracles are a fundamental part of DeFi as they are responsible for relaying tons of price data information to thousands of protocols using blockchain technology. Not only are they important for price feeds, but they are also an essential component of transaction verification and security. These questions are explained in this document.
24. Are Oracles relevant? (Y/N)
The protocol uses Chainlink for price feeds, as mentioned in the document. It states that to ensure profits for all short positions, contracts will pay out profits in the stablecoin based on a price of 1 USD or the current Chainlink price for the stablecoin, whichever is higher. Furthermore, during times of high volatility, there may be a spread from the Chainlink price to the median price of reference exchanges.
25. Is the protocol's Oracle sufficiently documented? (%)
The protocol's Oracle is well-documented. The protocol uses the Chainlink Oracle for its price data, as noted in the document. The Oracle's function is mentioned, particularly in relation to stablecoin pricing in case of a depeg from 1 USD. The contract also mentions that profits for all short positions can always be fully paid out, with contracts paying out profits in the stablecoin based on a price of 1 USD or the current Chainlink price for the stablecoin, whichever is higher. There is also mention of a spread from 1 USD to the Chainlink price of the stablecoin for swaps using the depegged stablecoin. No specific details about the frequency of price feed updates are given, but the overall use and function of the Oracle are clear.
26. Can flashloan attacks be applied to the protocol, and if so, are those flashloan attack risks mitigated? (Y/N)
Based on the available information, there is no explicit mention of flashloan attacks or measures against them in the provided document extracts. Although the documents discuss general security precautions, liquidation price, and risks related to smart contracts, they do not directly address the concept of flashloan attacks or any specific countermeasures against such attacks.