Another Blow to DeFi: GMX Hacked for $40 Million
In the latest high-profile DeFi security breach, decentralized crypto exchange GMX has reported a loss of $40 million due to a sophisticated exploit targeting a vulnerability in its V1 protocol. The incident exposed fundamental risks in DeFi architecture and once again raised concerns about the security of smart contracts.
Reentrancy Attack on OrderBook.sol
At the heart of the exploit was a reentrancy vulnerability — a notorious coding flaw where an external contract makes a recursive call to a function before the first invocation is complete. In this case, the attacker abused the increasePosition function in the Vault contract, which under normal conditions is only accessible via PositionRouter and PositionManager. However, the flawed structure in OrderBook.sol allowed unauthorized access.
The attacker leveraged this flaw to manipulate short position price calculations, specifically altering the average short price for Bitcoin from $109,505 down to just $1,913. This distortion directly impacted the PnL (profit and loss) model and, by extension, the price of GLP — GMX’s liquidity token.
Flash Loan Manipulation and Inflated GLP Prices
To further execute the scheme, the attacker took a flash loan, using it to purchase GLP tokens at the real market price of $1.45. By initiating a large short position worth $15.3 million, the attacker caused the system to miscalculate a staggering $859 million loss, artificially inflating the GLP price above $27. The hacker then sold GLP at this inflated price, pocketing nearly $40 million in profit, and swiftly moved the funds to an unidentified wallet.
Immediate Response and Mitigation
Following the exploit, GMX halted trading on Avalanche and worked closely with ecosystem partners, including Arbitrum, Circle, Tether, and Frax, to trace and contain the stolen assets. Importantly, GMX confirmed that GMX V2 is not vulnerable to this kind of attack due to its unified contract structure, which prevents such reentrancy flaws.
As a precaution, minting limits on GMX V2 were temporarily reduced on both Arbitrum and Avalanche. Once the exploit was understood and the V2 protocol confirmed safe, those limits were lifted. Around $3.6 million in tokens remain locked in GLP pools from open positions, and $500,000 in fees will be directed to the GMX DAO for partial compensation.
Restrictions and Recovery Efforts
Currently, minting and redemption of GLP on Arbitrum are disabled, while only redemption remains active on Avalanche. Users have been advised to manually cancel active orders on V1, as new positions are now prohibited.
In a bold move, GMX has offered a $5 million bounty to the hacker in exchange for the return of the stolen funds — a tactic that has seen mixed results in past crypto breaches.
Conclusion: The Fragility of DeFi Security
This incident serves as another stark reminder that DeFi platforms are only as strong as their smart contract code. While GMX V2 appears safe for now, the broader takeaway is clear: reentrancy attacks continue to pose serious threats to decentralized finance. For DeFi to scale securely, protocols must prioritize auditable architecture, real-time monitoring, and user education.
