GMX Re-Entrancy Attack: $40M Stolen, $500K Bounty Distributed via Tornado Cash
Following a suspected $40 million theft leveraging a re-entrancy vulnerability on decentralized exchange (DEX) GMX, the attacker distributed approximately $500,000 worth of cryptocurrency to the mixer Tornado Cash after allegedly repatriating the bulk of the stolen funds.
Key Points
- GMX alerted Crypto Corner on Thursday that funds held in an emergency response address were returned following the attack.
- On-chain analysis indicates the attacker received and accepted a $500k bounty (10% white-hat reward) for restoring funds.
- Unlike the initial $40 million stolen amount, blockchain data from reputable sources like PeckShield confirms roughly $40.5 million has been returned.
- Despite repatriation, $500,000 remains missing, 1,700 ETH sent via the attacker’s wallet recently entered Tornado Cash.
- GMX confirms it was a sophisticated re-entrancy attack targeting its GLP (General Liquidity Pool) pool logic specifically on the Arbitrum network.
- Ethereum hit new highs and Bitcoin surpassed $3,000 during this period, increasing the total value extracted and subsequently repatriated.
- GMX GPU token price reacted sharply (+16% day-over-day), reversing earlier daily losses.
On Wednesday, GMX identified a critical vulnerability and initiated an emergency protocol after $40 million worth of cryptocurrency vanished from its system. The exploited code flaw allowed an attacker to bypass security measures within the platform’s GLP pool mechanism.
GMX administrator noted the attack was a calculated, long-term plan (“precision hit”) rather than opportunistic smash-and-grab. According to on-chain data providers, the perpetrators accepted the exchange’s 10% bounty offer conditional on full fund restoration.
The returned assets fluctuating between $40M and $40.5M include various Ethereum amounts and stablecoin Frax. The total figure increased subsequent to Bitcoin’s pre-market rally and Ethereum crossing the $3,000 threshold.
PeckShield reported the bounty and fund return announcement. Regardless, the exchange identified $500,000 worth of funds remains unaccounted for, distributed entirely since the bounty acceptance, with activity recently observed through Tornado Cash transactions.
Technical details indicate the attacker exploited GLP manipulation, particularly affecting short position calculations for Bitcoin. This allowed the adversary to redeem GLP tokens at falsely elevated values before repatriating substantial sums.
Experts previously highlighted the maturity of blockchain forensics tools as a key factor increasing bounty program effectiveness. Despite heightened awareness of re-entrancy being common smart contract vulnerabilities (notable examples include the DAO hack), such incidents continue to occur.
GMX’s token (GPU) experienced a significant, unexplained spike reaching $12.24, a 16% daily increase, attracting both attention and continued investor uncertainty regarding the ongoing security incident.
Redstone’s Marcin Ka\ufffdzmiereczak emphasizes the growing synergy between reward programs and advanced forensics, citing increasing attacker discretion post-fund recovery.
