GMX Loses $40 Million in Re-entrancy Attack on V1 Platform

GMX, a decentralized exchange specializing in perpetual futures trading, announced on Wednesday that an initial version of its platform had been exploited. Approximately $40 million worth of tokens were transferred from GMX V1, which was launched on the Ethereum layer-2 scaling network Arbitrum in 2021, to an unknown wallet. In response to the exploit, GMX V1 trading was halted, along with the minting and redeeming of GMX’s GLP token on both Arbitrum and the layer-1 network Avalanche.

The stolen assets included around $10 million worth of Bitcoin, $10 million worth of Circle’s USDC stablecoin, $8.5 million worth of Ethereum, approximately $1 million worth of Tether’s USDT stablecoin, as well as significant amounts of the Uniswap and Chainlink tokens. The exploit appears to be a re-entrancy attack, which abused the logic behind minting GLP tokens. The attacker could trick the contract into thinking they hadn’t withdrawn anything, allowing them to mint more tokens repeatedly using the same base funds. This was not a quick smash-and-grab but a meticulously planned and executed attack.

GMX advised users to disable leverage trading and GLP minting. The vulnerability is specific to GMX V1 and relates to the calculation of the short average price on V1. The attacker’s wallet was funded days before the exploit via Tornado Cash, an Ethereum coin mixer previously sanctioned by the U.S. government for alleged money laundering activities. PeckShield, a blockchain security and data analytics firm, noted that the vulnerability likely applies to forked versions of GMX, urging them to exercise caution.

Re-entrancy vulnerabilities allow an attacker to make multiple calls or interactions with a smart contract within a single function, tricking the contract into calculating an improper balance. One of the most notable examples of such an attack was the $55 million 2016 DAO hack on Ethereum. Wednesday’s exploit is distinct from the $1.4 billion loss experienced by Bybit in February, where a developer’s workstation was compromised, leading to the largest crypto hack to date.

Within GMX’s official Telegram channel, users expressed concern about whether GLP token investors would be refunded. GMX plans to post a detailed postmortem once the project’s investigation is complete. In a message sent to the attacker on-chain, GMX offered a “10% white-hat bounty,” equating to $4 million. The project urged a “swift and ethical resolution,” stating that it would pursue no further legal action if the funds were returned within 48 hours.