GMX was hacked for 42 million dollars, how should the security of Decentralized Finance be ensured?

Written by: ChandlerZ, Foresight News

On July 9, the V1 system of the decentralized trading platform GMX was attacked on the Arbitrum network. The attacker exploited vulnerabilities within the contract to withdraw approximately $42 million in assets from the GLP liquidity pool. GMX has suspended trading on the platform in response and has blocked the minting and redemption functions of GLP. The attack did not affect GMX’s V2 system or native tokens, but the incident has once again sparked discussions about the internal asset management mechanisms of DeFi protocols.

Attack process and capital flow

Security firms PeckShield and Slow Mist Analysis indicate that the attackers exploited a flaw in the AUM calculation logic of GMX V1. This flaw caused the contract to immediately update the global average price after opening a short position. The attackers used this to construct a targeted operational path, achieving token price manipulation and arbitrage redemption.

Attackers transferred approximately $9.65 million in assets from Arbitrum to Ethereum, which were then exchanged for DAI and ETH. Some of the funds flowed into the mixing protocol Tornado Cash. Approximately $32 million in assets remain on the Arbitrum network, involving tokens such as FRAX, wBTC, and DAI.

After the incident, GMX addressed the hacker’s wallet on-chain, requesting the return of 90% of the funds and offering a 10% white hat bounty. According to the latest on-chain data, the GMX hacker has already converted the assets stolen from the GMX V1 pool into ETH.

The assets stolen by the hacker include WBTC/WETH/UNI/FRAX/LINK/USDC/USDT. Currently, all assets except for FRAX have been sold and exchanged for 11,700 ETH (approximately 32.33 million USD) and distributed into 4 wallets for storage. Therefore, the GMX hacker currently holds 11,700 ETH (approximately 32.33 million USD) and 10.495 million FRAX across 5 wallets. The total value is approximately 42.8 million USD.

According to Ember Analysis, the hackers’ actions should also mean a rejection of the GMX project’s proposal to repay assets for a 10% white hat bounty.

Defects in contract logic

Security companies have pointed out that attackers did not rely on unauthorized access to the contract or bypassing permission controls, but directly operated the function based on expected logic, repeatedly calling the function during the execution period by exploiting the time difference in state updates, which is a typical reentrancy operation.

SlowFog stated that the fundamental reason for this attack lies in the design flaw of GMX v1 version, where the short position operations immediately update the global short average price (globalShortAveragePrices), which directly affects the calculation of assets under management (AUM), leading to the manipulation of GLP token pricing. The attacker exploited the Keeper to enable the “timelock.enableLeverage” function during the order execution (which is a prerequisite for creating a large number of short positions) to take advantage of this design flaw. Through a reentrancy attack, the attacker successfully established a large number of short positions, manipulated the global average price, artificially inflated the GLP price in a single transaction, and profited through redemption operations.

This type of attack is not the first to appear in DeFi projects. When contracts handle balance or position updates that lag behind asset minting or redemption, it may expose a temporary inconsistent state, allowing attackers to construct an operation path and extract uncollateralized assets.

GMX V1 uses a shared fund pool design, consisting of assets from multiple users to form a unified vault, with account information and liquidity status controlled by the contract. GLP is the representative LP token of this pool, and its price and exchange ratio are dynamically calculated based on on-chain data and contract logic. This type of synthetic token system has observable risks, including the amplification of arbitrage space, the formation of manipulation space, and delays in cross-call states.

Official Response

GMX officially released a statement shortly after the attack, stating that the incident only affected the V1 system and its GLP liquidity pool. GMX V2, native tokens, and other markets were not impacted. To prevent potential future attacks, the team has suspended trading operations on V1 and disabled GLP minting and redemption functions on Arbitrum and Avalanche.

The team also stated that its current focus is on restoring operational security and auditing the internal mechanisms of the contract. The V2 system does not inherit the logical structure of V1 and adopts different mechanisms for liquidation, pricing, and position handling, with limited risk exposure.

The GMX token fell by more than 17% within 24 hours after the attack, dropping from around $14.42 to a low of $10.3, and has currently slightly rebounded to $11.78. Before the incident, the total trading volume of GMX across the network exceeded $30.5 billion, with over 710,000 registered users and an open contract size exceeding $229 million.

The security of crypto assets continues to face pressure.

The GMX attack is not an isolated incident. Since 2025, the cryptocurrency industry has suffered cumulative losses from hacker attacks that have exceeded the levels of the same period last year. Although the number of incidents decreased in the second quarter, it does not mean that the risks have mitigated. A report by CertiK indicated that in the first half of 2025, total losses caused by hackers, scams, and exploitations have exceeded $2.47 billion, an increase of nearly 3% compared to the $2.4 billion stolen in 2024. The theft of Bybit’s cold wallet and the invasion of Cetus DEX together resulted in a total loss of $1.78 billion, accounting for the majority of the total losses. This concentration of large-scale thefts indicates that high-value assets still lack sufficient isolation and redundancy mechanisms, and the vulnerabilities in platform design have not been effectively addressed.

Among the types of attacks, the economic losses caused by wallet intrusions are the most severe. In the first half of the year, there were a total of 34 related incidents, resulting in approximately 1.7 billion dollars worth of assets being transferred out. Compared to technically complex exploits, wallet attacks are mostly carried out through social engineering, phishing links, or permission deception, which have a lower technical threshold but are highly destructive. Hackers are increasingly inclined to target user terminal asset entry points, especially in scenarios where multi-factor authentication is not enabled or where hot wallets are relied upon.

At the same time, phishing attacks are still rapidly increasing, becoming the most common means of incidents. A total of 132 phishing attacks were recorded in the first half of the year, resulting in cumulative losses of 410 million dollars. Attackers guide users into making mistakes to obtain private keys or authorization rights by forging web pages, contract interaction interfaces, or disguised transaction confirmation processes. Attackers are constantly adjusting their strategies, making phishing behavior more difficult to identify, and the security awareness and tool preparedness on the user side have become a key line of defense.