Shared-library version with known-vuln status

GMX v2 (GMX Synthetics)'s assessment for RD-F-135 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OZ 4.9.3: CVE-2023-40014 (ERC2771Context _msgSender returns address(0)) is patched in 4.9.3 itself - GMX v2 uses the patched version. No evidence GMX v2 uses ERC2771Context or custom trusted forwarder pattern. OZ 4.9.4 has a Duplicated subcall bug but GMX is pinned at 4.9.3 (not 4.9.4). The 4.9.3 pinned version is clean for GMX v2's use case.

Sources #

GitHub
GMX Synthetics package.jsonpackage.json - OZ pinned at 4.9.3retrieved 2026-05-05
URL
OZ CVE-2023-40014 AdvisoryCVE-2023-40014 - patched in OZ 4.9.3 which GMX usesretrieved 2026-05-05

Methodology #

Identify the version of key shared libraries (OZ, Solady, Solmate) used and check against CVE/GHSA databases for any active advisory.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol gmx-v2 factor RD-F-135 score green collected_at 2026-05-05 11:15:06