GMX v1 Protocol Flaw Leads to $42 Million Theft

On July 10th, SlowMist Cosmos revealed that the recent $42 million theft from GMX was due to a fundamental design flaw in the GMX v1 protocol. The protocol immediately updates the global short average price when handling short positions, which directly affects the calculation of the total asset under management (AUM). This flaw allowed the attacker to manipulate the GLP token price.

The attacker exploited this vulnerability by using a Keeper to enable the timelock.enableLeverage feature during order execution. This feature is a necessary condition for creating large short positions. By employing a reentrancy attack, the attacker successfully created a large short position, manipulating the global average price. This manipulation artificially inflated the GLP price in a single transaction, allowing the attacker to profit through redemption operations.

The incident highlights the critical need for enhanced security measures in decentralized finance (DeFi) protocols. The design flaw in GMX v1 demonstrates how vulnerabilities can be exploited to manipulate token prices and result in significant financial losses. The attack serves as a reminder of the potential risks associated with DeFi platforms and the importance of continuous improvement in security protocols.

Investors are advised to exercise caution when dealing with various virtual token issuances and speculations. The incident underscores the importance of rational blockchain investment and heightened risk awareness. As the DeFi ecosystem continues to evolve, it is essential for platforms to prioritize security and implement robust measures to protect against such exploits.