Original | Odaily (@OdailyChina)
Author | Asher (@Asher_0210)
Last night, the top on-chain DeFi protocol GMX platform encountered a major security incident, with over $40 million in crypto assets stolen by hackers, involving multiple mainstream tokens such as WBTC, WETH, UNI, FRAX, LINK, USDC, and USDT.After the incident, Bithumb announced that GMX's deposit and withdrawal services will be suspended until the network stabilizes.
Affected by the theft, the GMX token dropped over 25% in 4 hours, with its price falling below $11 at one point and currently trading at $11.8. According to defillama data, GMX's TVL dropped from $500 million before the theft to $400 million, a sharp decline of 20%.
GMX platform TVL affected by the theft, temporarily dropping to $400 million
Next, Odaily will help you sort out the reasons for this GMX theft, the team's response, and the latest developments of the hackers.
Attackers Exploited a Reentrancy Vulnerability
The root cause of this GMX theft was a reentrancy vulnerability in the core function executeDecreaseOrder. The first parameter should have been an external account (EOA), but the attacker passed in a smart contract address, allowing them to re-enter the system during the redemption process, manipulate internal states, and ultimately redeem assets far exceeding their actual GLP value.
23pds, a partner and Chief Information Security Officer at Slow Mist, posted on X platform that in GMX V1, the establishment of short positions immediately updates the global short average price (globalShortAveragePrices), which directly affects the calculation of total managed assets (AUM) and consequently the valuation and redemption amount of GLP tokens.
The attacker exploited the design of GMX enabling timelock.enableLeverage during order execution (a prerequisite for opening large short positions) and triggered the reentrancy vulnerability in the executeDecreaseOrder function through contract calls. By exploiting this vulnerability, the attacker repeatedly created short positions, artificially raising the global short average price without actually changing market prices.
Since AUM depends on this price calculation, the platform erroneously incorporated the artificially increased short losses into total assets, causing an artificial inflation of GLP valuation. The attacker then redeemed GLP, extracting assets far beyond their rightful share, achieving substantial profits.
Attack transaction example: https://app.blocksec.com/explorer/tx/arbitrum/0x03182d3f0956a91c4e4c8f225bbc7975f9434fab042228c7acdc5ec9a32626ef?line=93
GMX Official Response: GLP Liquidity Pool on Arbitrum GMX V1 Exploited, V2 Version Unaffected
Regarding this major security incident, the GMX team has promptly issued an official response. They stated on the X platform that the GLP pool on Arbitrum's GMX V1 was exploited, with approximately $40 million in tokens transferred to an unknown wallet, and security partners are investigating the attack.
Currently, Arbitrum and Avalanche platforms have disabled trading and minting/redemption of GLP for GMX V1 to prevent further attacks. However, the vulnerability does not affect the GMX V2 version or the GMX token itself.
To mitigate risks due to the GMX V1 version attack, users can take the following actions:
Disable leverage function: Call Vault.setIsLeverageEnabled(false) to turn it off; if using Vault Timelock, call Timelock.setShouldToggleIsLeverageEnabled(false).
Set maxUsdgAmounts for all tokens to "1": Use Vault.setTokenConfig or Timelock.setTokenConfig to prevent further GLP minting. Notably, the value must be set to "1", not "0", as setting it to 0 indicates no limit and could continue to expose the vulnerability.
According to the latest update, the official confirmed that the attack was only on GMX V1, and the GMX V2 version contract did not use the same calculation mechanism. However, out of caution, GMX has updated the token caps for GMX V2 on Arbitrum and Avalanche, so most liquidity pools currently have new token minting restricted, and they will notify immediately when this restriction is lifted.
Additionally, on-chain data shows that GMX has left a message for the hacker's address, acknowledging the GMX V1 version vulnerability, offering a 10% white hat bounty, and promising not to take further legal action if the remaining 90% of funds are returned within 48 hours.
GMX willing to offer 10% white hat bounty
Hackers Have Transferred Over $30 Million to New Addresses
On-chain evidence suggests this was a premeditated action, with the hacker's initial funds transferred from the Tornado Cash privacy mixing protocol days ago, indicating thorough preparation for the attack.
After stealing over $40 million in crypto assets, the hackers quickly transferred over $30 million. According to on-chain data, the GMX hacker's marked address (address: https://debank.com/profile/0xdf3340a436c27655ba62f8281565c9925c3a5221) has transferred 88 BTC (worth approximately $9.8 million), over 2,200 ETH (worth approximately $5.85 million), over 3 million USDC, and over 1.3 million DAI to a new address 0x99cdeb84064c2bc63de0cea7c6978e272d0f2dae; and over 4,300 ETH (worth approximately $11 million) to another new address 0x6acc60b11217a1fd0e68b0ecaee7122d34a784c1. In total, over $30 million has been transferred to new addresses.
Hackers stole over $40 million in assets
Hacker's address currently has $10 million in assets yet to be transferred
On-chain detective ZachXBT criticized Circle's inaction on X platform, stating that 1-2 hours after the GMX attack, Circle took no action against the hacker, who even used Circle's cross-chain transfer protocol CCTP to move stolen funds from Arbitrum to Ethereum.
Summary
This theft not only revealed critical flaws in GMX V1's caller permission verification, state update sequencing, and leverage mechanism design but also sounded the alarm for the entire industry: in systems involving complex financial logic (such as leverage and dynamic pricing) and contract execution paths, any unprotected entry point could become the starting point of a black swan event.
It is worth noting that the hackers have converted most of the stolen assets into more difficult-to-freeze cryptocurrencies, especially decentralized assets like ETH and Dai, and have dispersed funds through multiple new addresses, further increasing the difficulty of tracking and recovery. GMX's proposal of "10% white hat bounty for immunity" also exposes the current realistic dilemma of lacking a unified legal accountability mechanism in the Web3 world.
For DeFi developers, perhaps the more important question is not "how the hackers succeeded," but rather - when the system manages users' real assets, whether sufficient mechanisms have been established to limit the occurrence of the most extreme attack paths. Otherwise, no matter how perfect the product logic, without a security boundary design, it will ultimately be unable to escape the cost of systemic risk.