GMX Exploited for $40M in GLP Pool Attack, Offers Hacker 10% Bounty For Return

On July 9, GMX, an on-chain perpetual and spot exchange, suffered an exploit targeting the GLP Pool of GMX V1 on Arbitrum. According to GMX’s post on X, the protocol incurred a loss of approximately $40 million.

Blockchain security firms and on-chain analysts first noticed the suspicious activity around 1:30 to 2:00 PM UTC and began discussing it on X. However, the actual exploit had occurred earlier, around 12:30 PM UTC. The stolen assets included WBTC, WETH, USDC, LINK, UNI, USDT0, FRAX, and DAI.

Shortly after, GMX confirmed the incident through a public statement on X and addressed the exploiter directly on-chain. They offered a 10% white hat bounty in exchange for the return of 90% of the stolen funds, an offer that has so far gone unanswered.

GMX Exploiter Swaps 11,700 ETH, Community Slams Circle’s Inaction

However, according to on-chain analyst @ai_9684xtpa, the GMX exploiter is unlikely to accept the white hat bounty offer, based on recent on-chain activity. At the time of writing, the exploiter has bridged approximately 8.998 million USDC from Arbitrum to Ethereum using Circle’s Cross-Chain Transfer Protocol (CCTP), swapped 88.173 WBTC for 9.54 million USDC, and subsequently used the stablecoins to purchase 11,700 ETH (valued at approximately $32.33 million). The acquired ETH was then distributed across four separate addresses. The initial exploiter address still holds approximately $10.5 million worth of FRAX. In total, the exploiter currently controls assets valued at roughly $42.8 million.

The incident has sparked widespread criticism within the crypto community, not just over the exploit itself but also over Circle’s perceived inaction. Many users expressed frustration that Circle allowed the conversion and bridging of stolen funds into USDC without intervention. On-chain observers first flagged the movement of bridged USDC to Ethereum as early as 1:30 AM (UTC) yesterday and noted that, even four hours after the initial alert, no representative from Circle had read or responded to the report.

Additionally, crypto influencer @0xwenmoon, noted that the $1.3 million in USDT0 was quickly frozen by the Tether team. However, the attacker managed to swap the entire amount for USDC just 23 seconds before the freeze took effect. On-chain investigator ZachXBT also criticized Circle for failing to freeze over $9 million in USDC following a $40 million exploit. He pointed out that the funds remained untouched for one to two hours, during which the attacker used Circle’s CCTP to bridge from Arbitrum to Ethereum.

GMX Exploit Explained: V1 Was Attacked, But V2 and GMX Token Are Safe

As GMX has not yet released a detailed post-mortem, blockchain security firm SlowMist reported that the root cause of the exploit stemmed from a design flaw in GMX V1. The vulnerability lies in how short position operations immediately update the global short average prices, which directly affect the calculation of Assets Under Management (AUM). This mechanism allowed the exploiter to manipulate GLP token pricing.

Using a reentrancy attack, the attacker opened large short positions to distort the global average prices within a single transaction. This caused an artificial increase in GLP prices, enabling the attacker to profit by redeeming GLP at inflated values.

Adding further context to the incident, on-chain analyst @EmberCN pointed out that the hacker’s initial funding originated from Tornado Cash two days prior, indicating that the exploit was premeditated.

In response, GMX stated that it has updated the caps for GM tokens on GMX V2 across Arbitrum and Avalanche. The team also affirmed that the exploit does not impact GMX V2, its markets, liquidity pools, or the GMX token itself.

However, the damage was significant. Following the announcement of the exploit, the price of the GMX token plummeted from approximately $14 to $10.63, a drop of around 24%. As of now, the token is trading at $11.54.

Looking Ahead

GMX reacted quickly and offered the exploiter a 10% white hat bounty in exchange for the return of the stolen funds. While some white hat hackers exploit vulnerabilities solely to highlight protocol weaknesses and later return the funds in exchange for a bounty, that might not appear to be the case here.