Written by: BlockSec
GMX was attacked by hackers, resulting in losses exceeding 40 million dollars. The attackers exploited a reentrancy vulnerability and opened short positions while the contract had leverage functionality enabled to carry out the attack.
The root of the problem lies in the incorrect use of the executeDecreaseOrder function. The first parameter of this function should have been an externally owned account (EOA), but the attacker passed in a smart contract address. This allowed the attacker to re-enter the system during the redemption process, manipulating the internal state, and ultimately redeem assets far exceeding the actual value of GLP held.
GLP Normal Redemption Mechanism
In GMX, GLP is the liquidity provider token that represents a share of the treasury assets (such as USDC, ETH, WBTC). When users call unstakeAndRedeemGlp, the system uses the following formula to calculate the amount of assets to be returned:
redeem_amount = (user_GLP / total_GLP_supply) * AUM
The calculation method for AUM (Assets Under Management) is as follows:
AUM = Total value of all token pools + Global unrealized losses from short positions - Global unrealized profits from short positions - Reserved amount - Preset deductions (aumDeduction)
This mechanism ensures that GLP holders receive a proportional share of the actual assets in the treasury.
Questions after leverage is activated
When enableLeverage is turned on, users can open leveraged positions (long or short). Before redeeming GLP, the attacker opened a large short position in WBTC.
Since the opening of a short position increases the global short scale, and the price has not yet changed, the system defaults that this short position is at a loss. This part of the unrealized loss will be counted as “assets” of the treasury, leading to an artificial increase in AUM. Although the treasury has not actually gained additional value, the redemption calculation will be based on this inflated AUM, allowing the attacker to obtain assets far beyond what they deserve.
Attack Process
Attack Trade
Written at the end
This attack exposed serious flaws in GMX’s leverage mechanism and reentrancy protection design. The core issue lies in the overly high trust in the asset redemption logic concerning AUM, without sufficiently prudent security checks on its components (such as unrealized losses). At the same time, the assumption about the caller’s identity (EOA vs contract) in key functions also lacks mandatory verification. This incident serves as a reminder to developers that when dealing with sensitive financial operations, they must ensure that the system state cannot be manipulated, especially when introducing complex financial logic (such as leverage and derivatives), to rigorously guard against systemic risks arising from reentrancy and state contamination.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
