GMX Recovers 90% of Stolen Funds After Offering 10% White-Hat Bounty

GMX, a decentralized exchange, faced a significant security breach on July 9, 2025, when a vulnerability in its V1 platform led to the theft of approximately $42 million in assets. In response, GMX swiftly offered a 10% white-hat bounty, amounting to roughly $4.2 million, to the hacker in exchange for the return of the remaining 90% of the stolen funds. The platform also pledged not to pursue legal action against the hacker, aiming to recover the funds without further escalation.

The hacker, in response to the bounty offer, began returning the stolen assets. By July 11, the hacker had transferred back a total of $37.5 million worth of cryptocurrencies, including approximately 9,000 ETH and 10.5 million FRAX, to the GMX Security Committee Multisig address. This amount represents nearly 90% of the total funds stolen in the exploit. The transfers were made in several batches around 8:00 AM UTC, demonstrating the hacker's compliance with the bounty agreement.

GMX's proactive approach to resolving the exploit showcased the effectiveness of offering substantial bounties and ensuring no legal repercussions. This strategy not only helped in recovering a majority of the stolen funds but also mitigated potential damage to the platform's reputation. The native token GMX (GMX) experienced a modest recovery, jumping 16% following the news of the fund returns, which helped to stabilize the market sentiment surrounding the incident.

The remaining funds, estimated to be around $4.5 million, have not yet been returned, and it remains unclear whether the attacker intends to do so. Despite this, GMX's handling of the situation has been praised for its swift and effective response, setting a precedent for how decentralized exchanges can manage and recover from significant security breaches. The incident highlights the importance of offering incentives to hackers to return stolen funds, thereby minimizing the impact of such exploits on the platform and its users.

This event is reminiscent of previous DeFi exploits such as those affecting Curve and Poly Network. Such instances indicate a sector leaning on bargain-based recovery, which GMX's case appears to underscore successfully. The decentralized exchange GMX faced a significant breach on July 11, 2025, which involved the exploitation of its GLP pool on Arbitrum. Leveraging community trust, GMX quickly initiated a bounty negotiation with the exploiter. In response, the attacker returned the funds, beginning with FRAX tokens, after accepting a $5 million bounty offer from GMX. This arrangement was followed by clear communication through on-chain messages and project updates.

The breach initially caused a steep decline in TVL and user activity within the GMX protocol as transactions halted. Community and on-chain monitoring played critical roles in tracking fund returns, starting with 5M FRAX confirmed on-chain. This incident affected several digital assets including USDC, FRAX, WBTC, and WETH, with part of the exploited funds reportedly converted into 11,700 ETH. The proactive bounty negotiation enabled a swift return of these assets.

While the GMX exchange opted for bounty negotiation, regulators haven't publicly commented. The no law enforcement guarantee negotiated suggests a trend in DeFi for internal resolution over external intervention. This event is reminiscent of previous DeFi exploits such as those affecting Curve and Poly Network. Such instances indicate a sector leaning on bargain-based recovery, which GMX's case appears to underscore successfully.