GMX Suffers $40M Exploit via Re-Entrancy Attack on Arbitrum Network
Decentralized exchange protocol GMX disclosed a significant exploit on Wednesday, revealing approximately $40 million worth of assets were stolen from its V1 platform deployed on the Arbitrum network.
Key details of the incident
- Targeted assets included roughly $10M Bitcoin, $8.5M Ethereum, $10M USDC, $1M USDT, and substantial amounts of UNISWAP and CHAINLINK tokens, according to GMX data.
- At-risk Token was GLP, which represents liquidity provision and earns trading fees.
- Attack method is believed to be a re-entrancy vulnerability, a known exploit vector that allows attackers to repeatedly interact with smart contracts, said Suhail Kakar of TAC (GMX’s security firm).
- A bounty of $4 million (10% white-hat reward) was extended to anyone returning the funds within 48 hours.
GMX Response and Consequences
- Trading on GMX V1 has been disabled on both Arbitrum and Avalanche layer-2 and layer-1 networks respectively.
- GMX advised users to disable leverage trading and GLP minting.
- Several security firms were involved, including blockchain analytics provider PeckShield.
Technical Perspective
A re-entrancy allows an attacker to trigger contract interactions multiple times using the same transaction, often leading to fund draining, as explained by blockchain security experts. PeckShield noted the attacker potentially funded their wallet days prior via Tornado Cash, an Ethereum mixer previously sanctioned by the US government.
Historical Context
The $40M incident is compared to the 2016 DAO Hack ($55M) and contrasts with Bybit’s February 2024 breach ($1.4B), the largest single crypto theft ever recorded.
In a direct on-chain message to the attacker, GMX urged for a swift resolution, stating penalties would be avoided if funds were returned within 48 hours. The company cited vulnerability specifics tied to the “short average price calculation” on V1. Further analysis details will be shared pending investigation completion.
