GMX was stolen $42 million, how to ensure DeFi security?

GMX was stolen $42 million, how to ensure DeFi security?

Written by ChandlerZ, Foresight News

On July 9, the V1 system of GMX, a decentralized exchange, was attacked on the Arbitrum network. The attacker exploited a vulnerability inside the contract to transfer approximately $42 million of assets from the GLP liquidity pool. GMX has suspended trading on the platform after the incident and blocked GLP's minting and redemption functions. The attack did not affect GMX's V2 system or native token, but the incident has once again sparked discussion about the asset management mechanism within DeFi protocols.

The process of the attack and the flow of funds

Security firm PeckShield and Slowfog analysis revealed that the attackers exploited a flaw in GMX V1's computational AUM processing logic. This defect causes the contract to update the global average price immediately after opening a short position. In this way, the attacker constructs a directional operation path to achieve token price manipulation and arbitrage redemption.

The attackers transferred about $9.65 million in assets from Arbitrum to Ethereum, where they exchanged for DAI and ETH. Some of the funds went to Tornado Cash, a mixing protocol. The remaining approximately $32 million in assets remain in the Arbitrum network, involving tokens such as FRAX, wBTC, DAI, and more.

In the aftermath of the incident, GMX shouted to the hacker's address on-chain, demanding the return of 90% of the funds, and was willing to offer a 10% white hat bounty. According to the latest on-chain data, GMX hackers have exchanged assets stolen from the GMX V1 pool for ETH.

The hackers stole WBTC/WETH/UNI/FRAX/LINK/USDC/USDT, and all other assets except FRAX have been sold for 11,700 ETH (about $32.33 million) and distributed to 4 wallets for storage. So the GMX hacker now holds 11,700 ETH (about $32.33 million) and 10.495 million FRAX through 5 wallets. It's worth about $42.8 million.

Ember analysis said that the hacker's operation should also mean that the GMX project party proposed to repay the assets and get a 10% white hat bounty.

A flaw in the contract logic

The security firm noted that instead of relying on the contract for unauthorized access or bypassing permission controls, the attacker directly manipulated the function based on the expected logic and took advantage of the state update time difference to repeatedly call the function during the execution period, i.e., a typical re-entrancy operation.

According to SlowMist, the root cause of the attack is a design flaw in the GMX v1 version, and the short position operation will immediately update the global shortAverage Price (globalShortAveragePrices), which directly affects the calculation of assets under management (AUM), resulting in the manipulation of GLP token pricing. An attacker exploited this design vulnerability by exploiting Keeper's ability to enable "timelock.enableLeverage" during order execution, which is a prerequisite for creating a large number of short positions. Through the re-entrancy attack, the attacker successfully opened a large number of short positions, manipulated the global average price, artificially inflated the GLP price in a single transaction, and profited from the redemption operation.

This is not the first time this type of attack has appeared in DeFi projects. When the contract processes the balance or the position update lags behind the asset minting or redemption, it may expose a short-term inconsistent state, and the attacker constructs the operation path and withdraws the unpledged assets.

GMX V1 uses a shared pool design, which consists of multiple user assets to form a unified vault, and the contract controls the account information and liquidity status. GLP is the pool's representative LP token, and its price and exchange rate are dynamically calculated by on-chain data and contract logic. There are observable risks in this kind of synthetic token system, including arbitrage space amplification, manipulation space formation, and state lag between calls.

Official response

GMX officials quickly issued a statement after the attack, saying that the attack only affected the V1 system and its GLP pool. GMX V2, native tokens, and other markets are not affected. To prevent possible future attacks, the team has suspended trading operations on V1 and disabled GLP minting and redemption capabilities on Arbitrum and Avalanche.

The team also stated that its current focus is on restoring operational security and auditing contract internals. The V2 system does not inherit the logical structure of V1 and uses different clearing, quoting and position handling mechanisms with limited risk exposure.

The GMX token, which fell more than 17% in the 24 hours following the attack, from a low of about $14.42 to $10.3, has now recovered slightly and is now trading at $11.78. Prior to the event, GMX had a cumulative trading volume of more than $30.5 billion, more than 710,000 registered users, and more than $229 million in open interest.

Crypto asset security continues to come under pressure

The GMX attack is not an isolated case. Since 2025, the cryptocurrency industry has lost more money due to hacking than it did in the same period last year. While the number of incidents declined in the second quarter, this does not mean that the risk has eased. According to the CertiK report, total losses due to hacking, scams, and exploits have exceeded $2.47 billion in the first half of 2025, up nearly 3% year-over-year from the $2.4 billion stolen in 2024. The theft of Bybit's cold wallet and the hacking of the Cetus DEX caused a total of $1.78 billion in damage, accounting for the majority of the total losses. This kind of centralized large-scale theft shows that high-value assets still lack adequate isolation and redundancy mechanisms, and the fragility of platform design is still not effectively addressed.

Among the types of attacks, wallet intrusions are the most costly to cause financial losses. There were 34 related incidents in the first half of the year, resulting in the transfer of approximately $1.7 billion in assets. Compared with technically sophisticated exploits, wallet attacks are mostly implemented through social engineering, phishing links, or permission spoofing, which has a lower technical barrier to entry but is extremely destructive. Hackers are increasingly gravitating towards asset on-ramp to user terminals, especially in scenarios where multi-factor authentication is not enabled or hot wallets are relied upon.

At the same time, phishing attacks are still growing rapidly, becoming the most incidental vector. A total of 132 phishing attacks were recorded in the first half of the year, resulting in a cumulative loss of $410 million. Attackers can forge web pages, contract interfaces, or disguised transaction confirmation processes to guide users to misoperate and obtain private keys or authorization permissions. Attackers are constantly adapting their tactics to make phishing more difficult to identify, and security awareness and tooling on the user side have become a critical line of defense.

Show original
The content on this page is provided by third parties. Unless otherwise stated, OKX is not the author of the cited article(s) and does not claim any copyright in the materials. The content is provided for informational purposes only and does not represent the views of OKX. It is not intended to be an endorsement of any kind and should not be considered investment advice or a solicitation to buy or sell digital assets. To the extent generative AI is utilized to provide summaries or other information, such AI generated content may be inaccurate or inconsistent. Please read the linked article for more details and information. OKX is not responsible for content hosted on third party sites. Digital asset holdings, including stablecoins and NFTs, involve a high degree of risk and can fluctuate greatly. You should carefully consider whether trading or holding digital assets is suitable for you in light of your financial condition.