Author: Fairy, ChainCatcher
Editor: TB, ChainCatcher
Original Title: Reviewing the $42 Million Hack of GMX, the Decline of Second-Generation Derivative DEXs
During the 2022 bear market, GMX was one of the few highlights, representing on-chain perpetual contract trading and even holding an almost monopolistic position.
However, as the market recovered and competition intensified, its glory was gradually overshadowed by emerging projects. Now, a $42 million hacker attack has once again brought GMX back into the public eye.
More notably, this incident did not attract widespread attention in the Chinese community. A project that once had a strong influence in the industry is exiting the main stage in an almost "silent" manner.
Former King Severely Damaged
Since its launch in September 2021, GMX's TVL rapidly grew to $350 million before the LUNA crash and reached a peak of around $700 million in May 2023. Its token price also rose, reaching a high of $91 in April 2023.
Image source: defillama
However, with the rise of new protocols, the market share of veteran projects like GMX has been continuously eroded. Yesterday's hacker attack further exacerbated the situation amid declining traffic.
This attack caused GMX's price to drop by 17.3%, with TVL evaporating by approximately $100 million, a decline of 20%. Hackers stole over $42 million in crypto assets, involving multiple mainstream tokens, including WBTC, WETH, UNI, FRAX, LINK, USDC, USDT, etc.
After the incident, the GMX team immediately left a message for the hacker address, offering a 10% white hat bounty. However, according to Yuji monitoring, the attacker has already converted most of the stolen assets into approximately 11,700 ETH and dispersed them across 4 wallets. This operation essentially means the attacker has rejected the project's bounty proposal.
It is worth noting that this is not the first time GMX has been attacked. As early as September 2022, its v1 protocol deployed on Avalanche was exploited by hackers, causing a loss of about $560,000.
Attack Path Breakdown
In GMX, GLP is a liquidity provider token representing a share of vault assets (such as USDC, ETH, WBTC). When the enableLeverage function is enabled, users can open leveraged positions, including long or short operations.
According to security company BlockSec's analysis, the root of this problem lies in the executeDecreaseOrder function being incorrectly called.
The first parameter of this function should have been an external account (EOA), but the attacker passed in a smart contract address, thereby achieving a re-entrancy attack.
Specifically, before redeeming GLP, the attacker opened a large WBTC short position. Since opening a short position immediately increases the global short scale, and the price has not changed, the system defaults that this short position is at a loss, and this unrealized loss will be counted as the vault's "asset", causing AUM to artificially rise.
Although the vault did not actually gain additional value, the redemption calculation will be based on this inflated AUM, thereby allowing the attacker to obtain assets far beyond what they should have received.
Image source: BlockSec
$27 Million Funds May Face Cascading Explosion?
GMX's early success sparked a wave of "forks", with many projects copying its open-source code with minor modifications or deploying it to other blockchains. Security company PeckShield warns that the vulnerability exploited in GMX v1 may also exist in these forked protocols.
It is estimated that approximately $27 million in funds are currently exposed to such risks. defillama data shows 64 identified related projects, but only 13 have a TVL exceeding $100,000.
Image source: defillama
GMX has issued a warning on X platform, calling on these projects to immediately take countermeasures, including disabling leverage functions and suspending GLP token minting to prevent similar attacks from recurring.
Circle's Slow Response Sparks Anger
In this attack, stablecoin issuer Circle was also criticized for its "overly slow" response. Multiple users pointed out that Circle could have blacklisted the hacker address and frozen over $9 million in stolen USDC but did not take timely action.
The attacker even used Circle's own cross-chain bridge tool CCTP to transfer $8 million USDC from Arbitrum to Ethereum, which was then exchanged for Dai. Despite this fund remaining on-chain for 1-2 hours, Circle did not respond.
On-chain analyst ZachXBT also publicly criticized Circle's sluggishness, which is not the first time he has challenged Circle. He has repeatedly questioned Circle co-founder Jeremy Allaire about why they are always "half a beat slow" at critical moments. For example, in the Bybit hacker event, Circle only froze the relevant addresses a day later.
GMX was once a pioneer in decentralized perpetual contract trading platforms, leading a golden wave. Looking back at the development of this track, the first-generation project DYDX was once glorious but now fades into obscurity, while Perpetual Protocol is almost "extinct"; the second-generation project GMX is severely damaged by this hacker attack; now, only the third-generation project Hyperliquid rises strongly and leads the way.
Market patterns change in an instant, and security and evolution are the perpetual paths for projects.
