QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$40 000 000 USD
JULY 2025
GLOBAL
GMX.IO
DESCRIPTION OF EVENTS
GMX is a decentralized perpetual exchange that allows users to trade top cryptocurrencies like BTC, ETH, and AVAX with leverage up to 100x directly from their own wallets. The platform supports seamless trading via a simple swap interface, reducing the complexity of entering and exiting leveraged positions. It operates on both the Arbitrum and Avalanche blockchains, offering users the flexibility to trade on their preferred network. GMX emphasizes safety through its use of aggregated, high-quality price feeds to minimize liquidation risks caused by temporary price wicks.
The platform boasts impressive metrics, with a total trading volume exceeding $307 billion, open interest around $299 million, and over 715,000 users. GMX is designed to help traders save on costs with minimal spreads and low price impact, providing efficient execution without incurring unnecessary fees. Liquidity and governance are driven by three key tokens: GMX, GLV, and GM. Each token plays a unique role in the ecosystem, from fee accrual and liquidity provision to governance participation.
The GMX token serves as the utility and governance token, accruing a portion of market-generated fees, while GLV and GM function as liquidity provider tokens for the GMX V2 vaults and markets, respectively. These tokens offer competitive APYs, especially on Arbitrum and Avalanche, making them attractive for yield-seeking investors. The platform also maintains active community and support channels across social media and developer platforms like Twitter, Discord, and GitHub.
Are-entrancy exploit vulnerability existed in the GMX V1 smart contract, which could allow an attacker to manipulate price calculations and extract inflated value from the protocol. While a function was protected with a nonReentrant modifier, it only prevented re-entrancy within the same contract. It did not protect against re-entrant calls across different contracts.
The exploit involved a re-entrancy attack that allowed the attacker to manipulate the average short price of BTC and redeem GLP at a significantly inflated value.
The root cause of the GMX V1 vulnerability was identified as a re-entrancy attack, based on a detailed review conducted by GMX contributors, auditors, and security researchers. Specifically, the vulnerability stemmed from a function within the OrderBook contract that, despite using a nonReentrant modifier, was only protected against re-entrancy within the same contract. This oversight allowed an external call to the Vault contract’s increasePosition function, which under normal operations should only be accessible via the PositionRouter and PositionManager—components responsible for ensuring the correct calculation of the average short price.
By bypassing these controls through re-entrancy, the attacker was able to manipulate the average short price calculation for BTC. This manipulation dramatically lowered the average short price from over $109,000 to just $1,913.70. Since the GLP price is partially determined by the pending profit and loss (PnL), which is derived from the short position’s performance, the artificial reduction in the average short price created a massive discrepancy. The attacker exploited this by taking a flash loan to purchase GLP at its fair market price, then opening a massive short position.
This manipulation resulted in calculated short losses of over $859 million, which in turn inflated the GLP token price from $1.45 to over $27. The attacker then redeemed the previously purchased GLP at this manipulated, inflated value, extracting a significant amount of value from the protocol. This exploitation was made possible due to the unguarded cross-contract interaction, a common vulnerability in smart contract design, which highlights the critical importance of secure access controls and multi-contract audit coordination.
The exploit originated in the OrderBook contract, specifically in a function at line 874. While this function was protected with a nonReentrant modifier, it only prevented re-entrancy within the same contract. It did not protect against re-entrant calls across different contracts, which is where the flaw was exploited.
The attacker was able to use this loophole to re-enter the system and call the increasePosition function in the Vault contract directly. Under normal conditions, this function should only be callable by two specific contracts: PositionRouter and PositionManager. These components are essential for calculating the average short price, a value critical to determining unrealized profit and loss (PnL) for GLP holders.
Losses were estimate as $40m.
"Due to the manipulated average short price, the short losses would be calculated as 15,385,676 * (1913.70 - 108,757.787) / 1913.70 = 859,000,107.173, where 108,757.787 represents the current BTC oracle price."
"This would lead to the GLP price being inflated to above $27, after which the attacker could redeem the minted GLP at this inflated price."
GMX took immediate security measures, including pausing V1 operations and securing the recovered assets by converting them to stablecoins and transferring them to the GMX Treasury on Arbitrum. V1 GLP minting and redemptions are now permanently disabled on Arbitrum, with only position closures allowed. On Avalanche, GLP minting has also been disabled, though redemptions remain open. GMX V2 was unaffected by this incident and continues to operate normally.
After negotiations and outreach, the funds were fully recovered and returned to the GMX DAO. A $5 million bug bounty was paid to the white-hat user responsible for disclosing the vulnerability, ensuring the safe return of assets. GMX expressed gratitude to its community, partners, and the security researcher involved, and reaffirmed its commitment to strengthening protocol security through its Immunefi bug bounty program and future upgrades.
Funds were recovered, except for the $5m bounty paid to the exploiter.
The GMX DAO is preparing a detailed distribution plan to return funds to affected Arbitrum GLP holders. This includes evaluating options for reimbursement assets, considering potential treasury supplementation, and determining a fair distribution timeline. The DAO will make final decisions based on snapshot data of GLP AUM before and after the exploit.
GMX, a decentralized perpetual exchange supporting leveraged crypto trading on Arbitrum and Avalanche, experienced a major exploit in its V1 protocol due to a re-entrancy vulnerability. An attacker bypassed access controls to manipulate the average short price of BTC, inflating the value of the GLP token and extracting approximately $40 million through a flash loan. The vulnerability stemmed from a cross-contract re-entrancy gap in the OrderBook contract. GMX responded quickly by pausing V1, securing funds, and recovering the stolen assets—minus a $5 million bug bounty awarded to the white-hat exploiter. The funds are now held by the GMX DAO, and a distribution plan is underway to compensate impacted users, while GMX V2 remains fully secure and operational.
GMX - Rekt News (Jul 15)
Initial Funding Transaction - Arbiscan (Jul 15)
Malicious Contract Deployment - Arbiscan (Jul 15)
Main Exploit Transaction - Arbiscan (Jul 15)
GMX.io - "The GLP pool of GMX V1 on Arbitrum has experienced an exploit. Approximately $40M in tokens has been transferred from the GLP pool to an unknown wallet." - Twitter/X (Jul 15)
GMX.io - "URGENT: for all GMX V1 forks, GMX V1 has been exploited." - Twitter/X (Jul 15)
Latest Announcement on Telegram - GMX.io (Jul 15)
GMX.io Homepage (Jul 15)
GMX.io Linktree (Jul 15)
GMX.io Announcement (Jul 15)
GMX.io Twitter/X (Jul 15)
https://x.com/TenArmorAlert/status/1945406534634311946 (Jul 25)
