Key Insights
- The GMX V1 platform was exploited for $40 million via a re-entrancy vulnerability in the OrderBook contract, targeting the GLP pool on Arbitrum.
- The attacker began returning funds after accepting GMX’s $5 million white-hat bounty and legal immunity offer.
- GMX paused V1 GLP operations, confirmed V2 remains secure, and plans reimbursements for affected users.
(MarketsXplora) – The attacker behind this week’s $40 million exploit of decentralized perpetuals exchange GMX has started returning the stolen funds, signaling acceptance of a $5 million white-hat bounty offered by the protocol.
The hack, which affected GMX’s V1 GLP pool on Arbitrum, saw the exploiter drain millions in assets including USDC, FRAX, wrapped bitcoin (WBTC), and wrapped ether (WETH). In immediate response, GMX halted trading and GLP minting on both Arbitrum and Avalanche to contain the damage. GMX V2 and the platform’s native token remained unaffected.
Following an onchain message from GMX offering a 10% bounty and a promise of legal immunity, the attacker replied simply: “ok, funds will be returned later.” Blockchain security firm PeckShield flagged the exchange and tracked two significant fund returns — a $5.5 million FRAX transaction, followed by another $5 million transfer to the GMX deployer address.
Vulnerability Identified, Reimbursements Planned
In a post-mortem published Thursday, GMX revealed the attack stemmed from a re-entrancy vulnerability in the OrderBook contract on Arbitrum. The flaw allowed the attacker to manipulate the average short price of BTC, artificially inflate the price of the GLP token, and then redeem it at a profit—ultimately siphoning off roughly $40 million.
In response, the team paused trading, collaborated with partners to trace funds, and confirmed GMX V2 remained secure. Looking ahead, minting and redemption of GLP on Arbitrum will remain disabled. The remaining funds, once secured, will be allocated toward user reimbursements, and affected users will be allowed to close open positions. The team also provided security guidance to GMX V1 forks and intends to initiate a DAO discussion on further compensation measures.
The GMX token initially plunged 28% following news of the exploit, hitting a low of $10.45. However, after the hacker’s signal of cooperation and the first fund returns, the token rebounded, rising about 14% to $13.25 as of Friday.
“Posting this message in hopes of connecting with the individual responsible for the GMX V1 exploit,” the team said in a message shared on X (formerly Twitter). “The white-hat bug bounty of $5 million continues to be available.”
GMX launched in 2021 on Arbitrum One, allowing users to trade BTC, ETH, AVAX, and other cryptocurrencies with up to 100x leverage. It has since processed over $306 billion in trading volume and maintains over $265 million in open interest across nearly 715,000 users.