Another so-called decentralized crypto exchange has suffered a multimillion-dollar exploit due to a vulnerability in its smart contracts, prompting comments about the “illusion of security in DeFi.”
This time, it was GMX's turn, as the exploiter stole around $40 million worth of GLP tokens from a pool on GMX V1 operating on the arbitrum blockchain on Wednesday. Their initial analysis confirmed that the attack was V1-specific, as the criminal manipulated how the short average price on V1 is calculated.
Our initial analysis of today’s GLP exploit, conducted in collaboration with our security partners and lead auditor, still confirms that the attack vector is specific to GMX V1. The manipulation involved relates to the calculation of the short average price on V1, and the same… https://t.co/BbcUSaXyq9
undefined GMX 🫐 (@GMX_IO) July 9, 2025
While a detailed post-mortem will be announced as soon as the investigation is finalized, the team is already engaged in negotiations with the exploiter, offering them a 10% whitehat bounty for the return of the stolen funds.
"If the remaining 90% of funds are returned within 48 hours, we commit to pursuing no further legal action," GMX said. According to crypto security specialist PeckShield, almost $10 million worth of tokens have already been sent from arbitrum to the ethereum blockchain.
Meanwhile, the platform also urged its users to disable leverage and take extra steps to prevent further minting of the GLP token. However, some users seem to struggle to take these actions, asking for clearer instructions or a video tutorial.
Another crypto security team, SlowMist, corroborated the initial analysis of GMX, saying that the attacker exploited a GMX design flaw that allowed manipulation of prices of short trading positions, or positions betting on price decline. According to the security specialist, it directly impacts the calculation of assets under management, thereby allowing manipulation of GLP token pricing.
The root cause of this attack stems from @GMX_IO v1's design flaw where short position operations immediately update the global short average prices (globalShortAveragePrices), which directly impacts the calculation of Assets Under Management (AUM), thereby allowing manipulation… https://t.co/BIMtZAI1s7 pic.twitter.com/BIILFf8Mex
undefined SlowMist (@SlowMist_Team) July 9, 2025
"Through a reentrancy attack, they successfully established massive short positions to manipulate the global average prices, artificially inflating GLP prices within a single transaction and profiting through redemption operations," the team explained.
Other blockchain experts, such as Suhail Kakar of the TAC blockchain, added that the reentrancy is "the oldest trick in the book" and that "this wasn’t a minor bug. It was a foundational flaw."
"That means the attacker could trick the contract into thinking they hadn’t withdrawn anything – and mint more tokens repeatedly [without proper collateral], using the same base funds," Kakar said, later adding that the attacker also "used a contract to masquerade as a normal user."
"Wait, almost 4 years nobody figured this out and now out of a sudden one hacker recognized this?" X user @0xSchnitzel reacted to the analysis by security experts.
In either case, as Kakar concluded, this story is not just about GMX, "it’s about the illusion of security in DeFi," as the fact that smart contracts are audited doesn't mean they're safe, and even multibillion-dollar protocols can be exploited.
Your email address will not be published. Required fields are markedmarked