GMX suffered an attack, where the attacker exploited a reentrancy vulnerability in the project's contract, profiting approximately $42 million. The Beosin security team analyzed the vulnerability and tracked the funds, sharing the following results:
Detailed Attack Steps
The attacker first utilized the margin refund mechanism in the OrderBook contract's executeDecreaseOrder function, launching a reentrancy attack to bypass the project's Timelock contract leverage switch:
Then, the attack borrowed USDC through a flash loan to stake and mint GLP, simultaneously increasing a BTC short position with USDC as margin, causing the GLPmanager contract's AUM to be artificially high, which affects the GLP price calculation.
Finally, the attacker redeemed GLP at an abnormal price for profit and specified the exchange for other tokens.
Vulnerability Analysis
Through the attack process, we can see the vulnerability exploitation reasons are as follows:
- Lack of reentrancy protection, allowing internal state modification during redemption.
- Redemption logic is complex and lacks sufficient security verification.
Although GMX underwent multiple security audits, this reentrancy vulnerability was still overlooked. If the redemption logic had been more strictly checked and potential reentrancy vulnerabilities considered, such security incidents might have been avoided.
Stolen Funds Tracking
Beosin Trace tracked the stolen funds and discovered: The attacker address 0x7d3bd50336f64b7a473c51f54e7f0bd6771cc355 profited approximately $42 million, subsequently exchanging stablecoins and Altcoins into ETH and USDC, and transferring stolen assets to the Ethereum network through multiple cross-chain protocols. Currently, approximately $32 million worth of ETH from the stolen assets is stored in the following 4 Ethereum network addresses:
- 0xe9ad5a0f2697a3cf75ffa7328bda93dbaef7f7e7
- 0x69c965e164fa60e37a851aa5cd82b13ae39c1d95
- 0xa33fcbe3b84fb8393690d1e994b6a6adc256d8a3
- 0x639cd2fc24ec06be64aaf94eb89392bea98a6605
Approximately $10 million in assets are stored in the Arbitrum network address0xdf3340a436c27655ba62f8281565c9925c3a5221. Beosin Trace has added the hacker-related addresses to the blacklist and will continue tracking.
According to Beosin Trace analysis, all stolen funds remain in the attacker's multiple addresses
Summary
The core of this attack was the reentrancy vulnerability in the GMX contract, allowing the attacker to redeem large amounts of assets by artificially inflating the AUM value. For complex DeFi protocols like GMX, multi-dimensional and multi-level security audits are needed, with thorough testing and review of contract code. Previously, the Beosin security team has completed security audits for multiple DeFi protocols (such as Surf Protocol, SyncSwap, LeverFi, Owlto Finance), focusing on discovering contract logic defects and potentially overlooked extreme scenarios to ensure comprehensive DeFi protocol detection.
