GMX was stolen $42 million，How Can DeFi Security Be Ensured?

Original Article Title: "GMX Hacked for $42 Million, How Can DeFi Security Be Improved?"

Original Author: ChandlerZ, Foresight News

On July 9, the decentralized exchange GMX's V1 system was attacked on the Arbitrum network. The attacker exploited a vulnerability in the contract to drain approximately $42 million from the GLP liquidity pool. GMX has since halted trading on the platform and disabled minting and redeem functions for GLP. The attack did not affect GMX's V2 system or native token, but it has reignited discussions about DeFi protocol's internal asset management mechanisms.

Attack Process and Fund Flow

Security firms PeckShield and SlowMist analysis indicated that the attacker exploited a flaw in GMX V1's AUM calculation logic. This flaw caused the contract to update the global average price immediately after opening a short position. The attacker utilized this to construct a targeted operation path, enabling token price manipulation and arbitrage redemption.

The attacker transferred approximately $9.65 million from Arbitrum to Ethereum, exchanging it for DAI and ETH. Part of the funds flowed into the privacy protocol Tornado Cash. Around $32 million assets are still on the Arbitrum network involving tokens such as FRAX, wBTC, and DAI.

Following the incident, GMX made an on-chain plea to the hacker's address, requesting the return of 90% of the funds and offering a 10% white-hat bounty. However, according to the latest on-chain data, the GMX hacker has converted the stolen assets from the GMX V1 pool into ETH.

The stolen assets include WBTC, WETH, UNI, FRAX, LINK, USDC, and USDT. Currently, all assets except FRAX have been sold, exchanged for 11,700 ETH (approximately $32.33 million), which has been dispersed into 4 wallets for storage. Thus, the GMX hacker now holds 11,700 ETH (approximately $32.33 million) and 10.495 million FRAX through 5 wallets. The total value is approximately $42.8 million.

An analysis by Ember Sword indicated that the hacker's actions likely signify a rejection of GMX's proposal to return the assets in exchange for a 10% white-hat bounty.

Flaw in Smart Contract Logic

A security firm has pointed out that the attacker did not rely on unauthorized contract access or bypassed permission controls. Instead, the attacker directly targeted expected logical function operations and exploited the time difference in state updates to repeatedly call the function during execution, a typical reentrancy operation.

SlowMist stated that the root cause of this attack was a design flaw in GMX v1. Short position operations would immediately update the global short average prices, directly impacting Asset Under Management (AUM) calculation and thereby manipulating the pricing of the GLP token. The attacker utilized Keeper to enable the "timelock.enableLeverage" function during order execution (a prerequisite for creating a large number of short positions) to exploit this design flaw. Through reentry attacks, the attacker successfully established numerous short positions, manipulated the global average price, artificially inflated the GLP price in a single transaction, and profited through redemption operations.

Such attacks are not new to DeFi projects. When contract balances or position updates lag behind asset minting or redemption, a brief inconsistent state may be exposed, allowing attackers to construct an operation path and extract uncollateralized assets. GMX V1 utilizes a shared vault design composed of multiple user assets forming a unified vault controlled by the contract with account information and liquidity status. The GLP token represents this pool as an LP token, and its price and exchange rate are dynamically calculated based on on-chain data and contract logic. Such synthetic token systems exhibit observable risks, including amplified arbitrage opportunities, formation of manipulation space, and lag between state cross-calls.

Official Response

Following the attack, the GMX team promptly released a statement indicating that this attack only affected the V1 system and its GLP liquidity pool. GMX V2, native tokens, and other markets remain unaffected. To prevent possible subsequent attacks, the team has suspended trading operations on V1 and disabled GLP minting and redemption functions on Arbitrum and Avalanche.

The team also declared that their current focus is on restoring operational security and auditing the internal contract mechanisms. The V2 system does not inherit V1's logic structure, employing different liquidation, pricing, and position handling mechanisms with limited risk exposure.

Within 24 hours of the attack, the GMX token plummeted over 17%, dropping from around $14.42 to $10.3 and currently showing a slight recovery, now trading at $11.78. Prior to the event, GMX had a total network-wide trading volume exceeding $30.5 billion, with over 710,000 registered users and an outstanding contract size of over $229 million.

Cryptocurrency Asset Security Under Continued Pressure

The GMX attack is not an isolated incident. Since 2025, the cryptocurrency industry has suffered cumulative losses due to hacks that have exceeded the same period last year. While the number of events decreased in the second quarter, this does not mean that the risk has subsided. According to the CertiK report, in the first half of 2025, the total losses caused by hackers, scams, and exploits have exceeded $2.47 billion, a nearly 3% year-on-year increase compared to the $2.4 billion stolen in 2024. The theft of Bybit's cold wallets and the hack of Cetus DEX have resulted in a total loss of $1.78 billion, accounting for a major portion of all losses. This centralized large-scale theft illustrates that high-value assets still lack sufficient isolation and redundancy mechanisms, and the vulnerability in platform design has not been effectively addressed.

Among the types of attacks, wallet intrusions have resulted in the most severe economic losses. There were a total of 34 incidents in the first half of the year, leading to around $1.7 billion in assets being transferred out. Compared to the technically sophisticated exploits, wallet attacks are mostly achieved through social engineering, phishing links, or permission deception, with lower technical barriers but high destructive power. Hackers are increasingly targeting users' asset entry points, especially in scenarios where multi-factor authentication is not enabled or when relying on hot wallets.

Furthermore, network phishing attacks continue to grow rapidly, becoming the most common type of events. There were 132 phishing attacks recorded in the first half of the year, resulting in a total loss of $410 million. Attackers use methods such as spoofed web pages, contract interaction interfaces, or disguised transaction confirmation processes to guide users into making mistakes, allowing them to obtain private keys or authorization permissions. Attackers are constantly adjusting their strategies to make phishing attempts harder to detect, making user-side security awareness and tooling crucial lines of defense.