GMX was attacked, the attacker exploited a re-entrancy vulnerability in the project contract, making a profit of approximately 42 million dollars. The Beosin security team conducted a vulnerability analysis and fund tracking for this attack incident, and shared the results as follows:
Detailed Attack Steps
The attacker first exploited the margin refund mechanism in the executeDecreaseOrder function of the OrderBook contract to initiate a reentrancy attack to bypass the leverage switch of the project Timelock contract.
Then, the attack borrowed USDC through a flash loan to stake and mint GLP, while increasing the short position of BTC with USDC as collateral, resulting in an inflated AUM value of the GLPmanager contract, which affects the price of GLP.
Finally, the attacker redeemed GLP at an abnormal price for profit and specified the exchange for other tokens.
Vulnerability Analysis
Through the above attack process, we can see that there are two reasons for the vulnerability exploitation of the entire incident:
-
Lack of reentrancy protection, leading to modifications of internal state during the redemption process.
-
The redemption logic is quite complex and lacks sufficient security checks.
Although GMX has undergone multiple security audits, this reentrancy vulnerability was still overlooked. If the redemption logic had been subjected to stricter checks and the potential for reentrancy vulnerabilities had been considered, such security incidents could have been avoided.
Stolen Fund Tracking
Beosin Trace has tracked the stolen funds and found: The attacker’s address 0x7d3bd50336f64b7a473c51f54e7f0bd6771cc355 profited approximately 42 million USD, and then the DeFi protocol exchanged stablecoins and altcoins for ETH and USDC, transferring the stolen assets to the Ethereum network through multiple cross-chain protocols. Currently, the stolen assets worth approximately 32 million in ETH are stored at the following 4 Ethereum network addresses:
-
0xe9ad5a0f2697a3cf75ffa7328bda93dbaef7f7e7
-
0x69c965e164fa60e37a851aa5cd82b13ae39c1d95
-
0xa33fcbe3b84fb8393690d1e994b6a6adc256d8a3
-
0x639cd2fc24ec06be64aaf94eb89392bea98a6605
Approximately $10 million worth of assets are stored at the address 0xdf3340a436c27655ba62f8281565c9925c3a5221 on the Arbitrum network. Beosin Trace has added the hacker-related address to the blacklist and will continue to monitor it.
According to Beosin Trace analysis, all stolen funds are still held in multiple addresses of the attacker.
Summary
The core of this attack lies in the reentrancy vulnerability present in the GMX contract, allowing attackers to redeem a large amount of assets for profit through falsely inflated AUM values. Complex DeFi protocols like GMX require comprehensive and multi-layered security audits to thoroughly test and review contract code. Previously, the Beosin security team has completed multiple security audits for various DeFi protocols (such as Surf Protocol, SyncSwap, LeverFi, Owlto Finance), focusing on identifying contract logic flaws and extreme scenarios that might be overlooked, ensuring that DeFi protocols undergo thorough testing.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
