GMX Hacker Returns $40.5 Million After Bounty Offer

The hacker responsible for the recent $40 million exploit of the decentralized exchange GMX has initiated the process of returning the stolen funds. This action comes days after GMX offered a $5 million bounty and assured the hacker of no legal repercussions if the majority of the crypto was returned.

The breach specifically targeted GMX’s V1 liquidity pool on Arbitrum, resulting in the draining of various assets including USDC, FRAX, WBTC, and WETH. The attack was facilitated by a re-entrancy bug in the platform’s OrderBook contract, which allowed the hacker to manipulate short positions on BTC, inflate the price of GLP tokens, and subsequently cash out with a significant profit. In response to the exploit, GMX froze all V1 trading and minting activities on both Arbitrum and Avalanche.

On Friday, the attacker responded to GMX’s onchain bounty message with a straightforward reply: “ok, funds will be returned later.” Blockchain analytics firm PeckShield confirmed that the exploiter had returned $5.5 million in FRAX, followed by another $5 million shortly after. Additionally, ETH transfers totaling around $30 million were tracked back to GMX’s deployer address.

The hacker had a 48-hour window to comply with the terms or face potential legal action. GMX’s public bounty offer, which is equal to 10% of the stolen sum, remains available from its treasury.

In the aftermath of the exploit, GMX’s token experienced a 28% drop but rebounded around 14% on Friday as the funds began to be returned. It was last trading at $13.25.

The GMX team published a post-mortem on Thursday, confirming that V1 was hit by a re-entrancy vulnerability and that V2 operations were unaffected. Moving forward, the team announced that minting and redeeming GLP on Arbitrum will be disabled, and the remaining funds will be used to reimburse affected users. A DAO vote is expected to decide on further compensation measures.

The GMX exploit serves as a stark reminder of the challenges faced by DeFi protocols as they navigate complex codebases, real-world incentives, and increasingly sophisticated attackers. Despite the significant financial and reputational costs, the situation appears to be heading towards a relatively peaceful resolution.