Over $40 million stolen, the story of GMX's precise ambush.

Original | Odaily Daily Report (@OdailyChina)

Author | Asher（**@Asher_ 0210 ）

Last night, the leading on-chain DeFi protocol GMX platform experienced a major security incident, with over 40 million dollars in crypto assets stolen by hackers, involving various mainstream tokens such as WBTC, WETH, UNI, FRAX, LINK, USDC, and USDT. After the incident, Bithumb issued an announcement stating that GMX’s deposit and withdrawal services will be suspended until the network stabilizes.

Affected by this theft incident, the GMX token fell over 25% in 4 hours, with the price temporarily dropping below 11 USD, now reported at 11.8 USD. According to DefiLlama data, GMX’s TVL dropped from 500 million USD before the theft incident to 400 million USD, with a short-term decline of up to 20%.

The TVL of the GMX platform has been affected by the theft incident, briefly dropping to 400 million dollars.

Next, Odaily will summarize the reasons for the recent GMX theft incident, the team’s response, and the latest developments regarding the hacker.

Attackers exploit reentrancy vulnerabilities

The fundamental reason for the GMX theft incident lies in the reentrancy vulnerability present in the core function executeDecreaseOrder. The first parameter of this function was supposed to be an externally owned account (EOA), but the attacker passed in a smart contract address, which allowed the attacker to re-enter the system during the redemption process, manipulating the internal state and ultimately redeeming assets that far exceeded the actual value of the GLP they held.

The partner and Chief Information Security Officer of Slow Fog, 23pds, stated in a post on platform X that in GMX V1, the establishment of short positions will immediately update the global short average prices (globalShortAveragePrices), and this price directly affects the calculation of the total assets under management (AUM), thereby impacting the valuation and redemption amount of GLP tokens.

The attacker exploited the design of GMX enabling the timelock.enableLeverage feature during order execution (which is a prerequisite for opening large short positions), and triggered the reentrancy vulnerability of the executeDecreaseOrder function through a contract call. By exploiting this vulnerability, the attacker repeatedly created short positions, artificially raising the global average short price without actually changing the market price.

Since AUM relies on this price calculation, the platform mistakenly included the inflated short losses in the total assets, causing the GLP valuation to be artificially increased. The attacker then redeemed GLP and withdrew assets far exceeding their entitled share, realizing substantial profits.

Attack transaction example: line= 93

GMX Official Response: The GLP liquidity pool of GMX V1 version on Arbitrum has suffered a vulnerability attack, while the GMX V2 version is unaffected.

In response to this major security incident, the GMX team has made an official statement at the earliest opportunity. They posted on the X platform that the GLP pool of GMX V1 on the Arbitrum platform suffered a vulnerability attack, with approximately 40 million dollars worth of tokens transferred from the GLP pool to an unknown wallet. Security partners have been involved in investigating this attack.

Currently, the Arbitrum and Avalanche platforms have disabled trading for GMX V1 version as well as the minting and redemption functions for GLP to prevent any further attacks, but this vulnerability does not affect the GMX V2 version, nor does it affect the GMX token itself.

Due to the attack on GMX V1 version, users can take the following actions to reduce risk:

• Disable leverage feature: Call Vault.setIsLeverageEnabled(false) to turn it off; if Vault Timelock is used, call Timelock.setShouldToggleIsLeverageEnabled(false).
• Set the maxUsdgAmounts of all tokens to “1”: Use Vault.setTokenConfig or Timelock.setTokenConfig to prevent further minting of GLP. It is important to note that this value must be set to “1” instead of “0”, as setting it to 0 indicates no limit, which could lead to the vulnerability being exploited continuously.

According to the latest update, the officials confirmed that the attack was only targeted at the GMX V1 version, while the GMX V2 version contract did not adopt the same calculation mechanism. However, out of caution, GMX has updated the cap on GMX V2 version tokens on Arbitrum and Avalanche, so currently, the minting of new tokens in most liquidity pools is restricted. We will notify as soon as this restriction is lifted.

In addition, on-chain data shows that GMX has left a message for the hacker address, admitting to encountering a vulnerability in the GMX Vl version, and is willing to offer a 10% white hat bounty. If the remaining 90% of the funds are returned within 48 hours, they promise not to take any further legal action.

GMX has left a message for the hacker address offering a 10% white hat bounty.

Hackers have transferred over $30 million in funds to a new address.

From on-chain indications, this appears to be a premeditated action. The hacker’s initial funds were transferred from the privacy mixing protocol Tornado Cash a few days ago, indicating that they had long been prepared for this attack.

After stealing over 40 million dollars in crypto assets, hackers quickly transferred over 30 million dollars in assets. According to on-chain data, the GMX hacker marked addresses (Address: 88 BTC (worth approximately 9.8 million dollars), over 2,200 ETH (worth approximately 5.85 million dollars), over 3 million USDC, over 1.3 million DAI were transferred to the new address 0x99cdeb84064c2bc63de0cea7c6978e272d0f2dae; over 4,300 ETH (worth approximately 11 million dollars) were transferred to the new address 0x6acc60b11217a1fd0e68b0ecaee7122d34a784c1. In total, over 30 million dollars in funds have been transferred to other new addresses.

Hackers stole assets worth over $40 million.

The current hacker address has a remaining balance of 10 million dollars that has not yet been transferred.

ZachXBT, the “on-chain detective”, criticized Circle’s inaction regarding hacking activities in a post on platform X. He stated that the GMX attack incident had occurred for 1 to 2 hours, but Circle had taken no action against the hackers. The attacker even used Circle’s Cross-Chain Transfer Protocol (CCTP) to move the stolen funds from Arbitrum to Ethereum.

Summary

The recent theft incident not only revealed critical flaws in the GMX V1 version regarding caller permission verification, state update timing, and leverage mechanism design, but also sounded the alarm for the entire industry once again: in systems involving complex financial logic (such as leverage and dynamic pricing) intertwined with contract execution paths, any unprotected entry could potentially become the starting point of a black swan event.

It is worth noting that hackers have converted most of the stolen assets into cryptocurrencies that are harder to freeze, especially decentralized assets like ETH and DAI, and have completed fund dispersal through multiple new addresses, further increasing the difficulty of tracking and recovering the assets. Moreover, the “10% white hat bounty for immunity” proposal put forward by GMX also exposes the real predicament of the current lack of a unified legal accountability mechanism in the Web3 world.

For DeFi developers, perhaps the more pressing question is not “how did the hacker succeed?” but rather—when the system manages real user assets, have sufficient mechanisms been established to limit the occurrence of the most extreme attack vectors? Otherwise, no matter how perfect the product logic is, once it lacks a design for security boundaries, it will ultimately be difficult to escape the costs of systemic risks.