GMX - Rekt

Sometimes the oldest vulnerabilities cut the deepest.

$42 million vanished from GMX V1 on July 9th when someone remembered that reentrancy guards actually matter.

Two years of production, audits, blue-chip status - none of it mattered when the attacker spotted a cross-contract reentrancy and decided to take it for a spin.

The exploit was textbook simple: manipulate global short averages, inflate GLP pricing, mint and redeem at will.

GLP holders got front-row seats to watch their liquidity vanish while millions bridged to Ethereum and converted to DAI.

Circle sat on the sidelines as usual. GMX hit the emergency brakes on V1 and dangled the classic 10% bounty carrot, but the vault was already empty.

Or so it seemed...

How exactly does a protocol survive two years in production just to get schooled by reentrancy basics?

PeckShield fired the first flare on Wednesday, July 9th: "$42M exploited, $9.6M already bridged to Ethereum."

A couple of minutes later, BlockSec dropped the attack transaction with the line “Worth a further analysis”.

GMX showed up shortly after with the inevitable statement: "The GLP pool of GMX V1 on Arbitrum has experienced an exploit. Approximately $40M in tokens has been transferred from the GLP pool to an unknown wallet."

Trading and minting got suspended on both Arbitrum and Avalanche. V2 was fine, they assured everyone.

Meanwhile, their stolen funds were already taking a scenic tour through CoW Protocol, with the attacker swapping $5M USDC for DAI while GMX scrambled to work with security partners.

So how exactly do you turn a protocol's own order-keeper into your accomplice?

The Exploit Breakdown

According to EVMHacks' detailed breakdown (a 3 part banger from their Telegram), GMX's vulnerability boiled down to a fatal circular dependency: global short positions influenced AUM calculations, which determined GLP pricing, which enabled liquidity operations that could manipulate those same global short positions.

SlowMist's analysis revealed the deeper design flaw: short position operations immediately updated the global short average prices (globalShortAveragePrices), which directly impacted AUM (Assets Under Management) calculations and allowed manipulation of GLP token pricing.

The attacker exploited the Keeper's ability to enable timelock.enableLeverage during order execution - a prerequisite for creating large short positions.

The attacker found the weak link in GMX's executeDecreaseOrder() function.

The function was correctly called by GMX’s order-keeper - but it accepted an arbitrary contract address as input, which meant the keeper unknowingly handed execution to the attacker’s malicious contract.

When the legitimate order-keeper executed the function, it triggered a callback to the attacker's malicious contract.

Classic reentrancy - via the gmxPositionCallback() hook, the attacker reentered GMX’s reward router and vault mid-transaction to manipulate state before it finalized.

BlockSec confirmed the smoking gun: "GMX's order-keeper account issued a transaction, which passes a contract address as the first parameter of executeDecreaseOrder, and then the attacker leveraged a reentrancy to carry out the attack."

William Li observed the keeper refund step was repurposed to hijack control mid‑execution.

By tricking the keeper into interacting with a malicious contract instead of a regular user address, the attacker triggered reentrancy during the refund step - chaining multiple actions within a single transaction that GMX's architecture never anticipated.

The exploitation mechanism was a sneaky, fatalist math trick: mint GLP, open short positions, withdraw GLP.

The critical flaw lay in how AUM calculations handled short position data.

While the total short size was updated when positions were opened, the average short price remained stuck at previous values - much lower prices from earlier market conditions.

This created a "virtual" short position scenario where the system believed shorts were opened at historical lows rather than current prices, artificially inflating the AUM calculation and making GLP appear more valuable than it actually was.

The mathematical exploit was elegant in its simplicity, but the vulnerability's origin story would prove far more complex.

But the real story runs much deeper than a simple exploit.

But who was behind the keyboard, and where did $42 million disappear to?

The Attacker’s Trail

The attacker didn't materialize out of thin air. Two days before the exploit, the Mayan Swift Bridge funded the main wallet with enough capital to execute the plan.

Primary Attacker Address: 0xDF3340A436c27655bA62F8281565C9925C3a5221

Attack Contract: 0x7D3BD50336f64b7A473C51f54e7f0Bd6771cc355

Key Transactions

Initial Funding: 0xbb4188bcd0153a9572f009db6c49a07ce67e6a032f8cc1f745cef2c51fd32f62

Attack Contract Deployment: 0xa4ece5a7f106f2fa62dbd0d03441183aeb650d8f587e5c1706e1e5488cd4c93f

Main Exploit Transaction: 0x03182d3f0956a91c4e4c8f225bbc7975f9434fab042228c7acdc5ec9a32626ef

Targeted Contracts

GMX Vault: 0x489ee077994b6658eafa855c308275ead8097c4a

The GMX Vault was the primary attack target housing the manipulatable globalShortAveragePrices data.

GLP Manager: 0x321f653eed006ad1c29d174e17d96351bde22649

The GLP Manager served as the exploit's amplification mechanism, translating manipulated vault data into inflated GLP pricing.

The attacker created a feedback loop inside GMX's math—a kind of financial microphone screech that amplified fake profits into real liquidity through repeated cycles of mint and redeem operations.

With the mathematical advantage established, the attacker maximized their haul through the manipulated pricing mechanism before moving to cover their tracks.

The loot didn't sit still. PeckShield tracked the attacker bridging $9.6M worth of assets to Ethereum, where they immediately began laundering through CoW Protocol.

The conversion from $5M USDC to $5M DAI: 0xce269bdfec9a489239749586fe9dcb1433eeb275aad8accdcec612224fa6eaeb

By the time the security community finished dissecting the exploit, the damage was already done - millions gone, users rekt, and another audit badge rendered meaningless.

But where did this vulnerability actually come from?

When Bug Fixes Create Bigger Bugs

PeckShield's post-hack analysis revealed the devastating truth about this vulnerability's origin.

The cross-contract reentrancy that enabled the $42M exploit wasn't a design oversight - it was introduced in 2022 when GMX tried to fix a completely different $1 million bug bounty paid to Collider VC.

The 2022 Collider bug involved the same core issue: non-atomic updates of global short size and average global short price.

When GMX patched that vulnerability, they inadvertently created the exact conditions that would later enable this much larger exploit.

PeckShield confirmed the worst-case scenario: "the bug was indeed introduced in the fix for the $1M bounty issue."

A textbook example of how security patches can create new attack vectors when not properly validated.

The implications for every GMX V1 fork were immediate - any protocol that had copied GMX's codebase potentially inherited this same fatal flaw.

If fixing bugs can create bigger bugs, what good are audits that never see the fixes?

The Audit Alibi

Speaking of audits, Both audits look to be out of scope for this specific exploit.

ABDK's April 2021 audit covered "Gambit" - the pre-GMX version with basic vault logic and none of the complex keeper flows or GLP mechanisms that were exploited.

The codebase and architecture evolved dramatically since then.

Quantstamp's September 2022 audit covered vault implementations but completely whiffed on the interaction pathways that mattered: keeper callbacks, globalShortAveragePrices manipulation, and circular AUM dependencies.

Worse yet, post‑audit changes meant key functions like keeper callbacks and AUM logic weren't reviewed.

The OrderBook.sol contract had "additional override on functions: executeSwapOrder, executeIncreaseOrder, executeDecreaseOrder" - the very function that became the attack vector.

The PositionManager.sol showed critical changes in function call order: enableLeverage was moved before executeDecreaseOrder, while disableLeverage and getDecreaseOrder functions were called before getDecreaseOrder in the deployed version.

Vault.sol got a complete makeover - modified functions, new logic for _increaseGlobalShortSize. RewardTracker.sol sprouted new storage variables.

Timelock.sol gained "additional functions" and flipped modifier permissions from onlyAdmin to onlyAdminOrHandler.

Code changed. Audits didn't.

So when users parked millions in "audited" contracts, what exactly had been audited?

After the Cards Fell

GMX ambitiously messaged the exploiter, offering a 10% bounty ($4M), 48-hour deadline and no legal action if funds returned.

Message Transaction: 0x92a39e66e54aff033cd7b41b468de7891cf459593495d68d78099cc889547380

Circle's response was equally predictable - slow to freeze assets despite holding $30M+ in USDC.

ZachXBT called them out: "Circle does not freeze 9M+ $USDC after a $40M exploit that sat for 1-2 hours where the attacker also used CCTP to bridge from Arbitrum to Ethereum."

Another day, another reminder that centralized stablecoin issuers move at bureaucratic speed when funds are bleeding.

Meanwhile, GMX scrambled to reassure users that V2 remained unaffected. Trading on V1 stayed suspended across both Arbitrum and Avalanche while the team conducted damage assessment.

GMX published their official analysis the following day "GMX V1 Exploit on Arbitrum: Root Cause and Next Steps," confirming the cross-contract reentrancy attack and detailing the brutal math: BTC's average short price was manipulated from $109,505.77 down to $1,913.70, inflating GLP from $1.45 to over $27.

The analysis also outlined their plan for handling remaining funds and potential reimbursement measures.

The official analysis confirmed the inevitable: yet another established protocol brought down by fundamental flaws hiding in plain sight.

But then came the plot twist nobody saw coming.

Two days after what appeared to be one of DeFi's largest exploits, GMX dropped a bombshell that may have reframed the narrative.

"There was a security vulnerability in the GMX V1 codebase that was disclosed...

We would like to recognize the actions of 0xDF3340A436c27655bA62F8281565C9925C3a5221 in this recovery.

A potential exploitable amount of $42 million belonging to GLP holders was secured.
After payment of a $5 million bounty to the user, the remaining funds are now safely in the GMX Security Multisig."

The "exploit" appears to be a coordinated recovery that saved user funds.

What looked like a devastating hack may have been a demonstration of a critical vulnerability that prevented other malicious actors from exploiting the same flaw.

In a space where white hats and black hats look identical until the very end, how do we tell the heroes from the villains?

Reentrancy never went away - it just got better at hiding.

While DeFi chased yield and TVL metrics, the fundamentals rotted from within.

GMX survived flash crashes, bear markets, and regulatory uncertainty, only to nearly die from a vulnerability created by fixing another vulnerability.

Two years of production, two audit firms involvement, established status - none of it prevented a vulnerability introduced by their own security patch from threatening user funds.

The incident revealed how even well-intentioned security fixes can create new attack vectors when proper validation is skipped.

Every post-audit code change without review was another round loaded in the chamber, and in July someone finally pulled the trigger.

Circle's sluggish response, the standard bounty theater, the reassurances about V2 - all predictable moves in crypto's endless cycle of rekt and repeat.

But this time, the story had a different ending. Sometimes the system works, even when it looks like it's completely broken.

When protocols treat security like a marketing checkbox instead of an ongoing discipline, how long before the next $42 million lesson?

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

disclaimer:

REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.