Bug bounty scope gap on highest-TVL contracts

GMX v2 (GMX Synthetics)'s assessment for RD-F-183 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Immunefi program covers ~250 assets on Arbitrum and Avalanche. Key exclusion is 'exploits that require access to Timelock admin keys or Fast Price Feed admin keys' - not a core contract exclusion. Highest-TVL contracts (GM market tokens, DataStore, ExchangeRouter on Arbitrum at $222M) appear to be in scope. MegaETH ($9M) and Botanix ($18K) deployments are not confirmed in the Immunefi scope, representing a minor gap for new chain deployments.

Sources #

URL
GMX Immunefi Bug BountyGMX Immunefi - 250 assets, Arbitrum + Avalanche, admin key exclusion onlyretrieved 2026-05-05

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol gmx-v2 factor RD-F-183 score yellow collected_at 2026-05-05 11:15:06