defirisk.co
rubric v1.7.0

Flash loan >$10M targeting protocol tokens

GMX v2 (GMX Synthetics)'s assessment for RD-F-100 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No documented flash loan >$10M targeting GMX v2 oracle or market contracts at assessment date. Pull-oracle design (Chainlink Data Streams) structurally reduces flash-loan oracle price manipulation risk compared to push-oracle protocols — oracle prices are DON-signed off-chain and not readable from on-chain DEX spot pools. Flash loans can still be used to scale position sizes but cannot directly manipulate the price feed. The July 2025 v1 exploit used reentrancy (not flash loan oracle manipulation) and targeted v1 only. Threshold: flash loan >$10M USD AND receiver contract interacts with protocol oracle, market, or governor in same tx.

Sources #

  • URL
    https://sherlock.xyz/post/gmx-exchange-hack-explainedretrieved 2026-05-05
  • Docs
    https://gmxio.substack.com/p/gmx-v2-powered-by-chainlink-dataretrieved 2026-05-05

Methodology #

Detect whether a flash loan >$10M denominated in protocol tokens or LP tokens has originated, likely to interact with this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol gmx-v2 factor RD-F-100 score green collected_at 2026-05-05 11:15:06