defirisk.co
rubric v1.7.0

Admin has mint() with unlimited max

GMX v2 (GMX Synthetics)'s assessment for RD-F-042 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Two unlimited-mint patterns found: (1) GovToken mint() by GOV_TOKEN_CONTROLLER — no supply cap (6.88M current supply); (2) MarketToken mint() by CONTROLLER — no supply cap per-market. The GMX trading token (0xfc5A1A6EB) is a separate ERC-20 not under this mint authority. GovToken minting dilutes governance votes; MarketToken minting by compromised CONTROLLER could fraudulently inflate LP positions. Both are role-gated. Not red: no single-address exploit path to drain user funds via mint alone.

Sources #

  • GitHub
    GovToken unlimited mintGovToken.sol — mint(address,uint256) external onlyGovTokenController; no MAX_SUPPLY definedretrieved 2026-05-05
  • Etherscan
    GovToken current supplyGMX_DAO token total supply: 6,883,993 tokens (6.88M with 18 decimals)retrieved 2026-05-05
  • GitHub
    MarketToken unlimited mintMarketToken.sol — mint(address,uint256) external onlyController; no supply capretrieved 2026-05-05

Methodology #

Determine whether an admin-callable `mint` on a protocol token has no supply cap or an unlimited maximum supply.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol gmx-v2 factor RD-F-042 score yellow collected_at 2026-05-05 11:15:06