GMX V1 Cross-Contract Re-Entrancy Flash Loan Attack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 17:42, 28 July 2025 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/gmxv1crosscontractreentrancyflashloanattack.php}} {{Unattributed Sources}} thumb|GMX.io Logo/HomepageGMX, a decentralized perpetual exchange supporting leveraged crypto trading on Arbitrum and Avalanche, experienced a major exploit in its V1 protocol due to a re-entrancy vulnerability. An attacker bypassed access controls to manipulate the average short price of BTC,...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

GMX.io Logo/Homepage

GMX, a decentralized perpetual exchange supporting leveraged crypto trading on Arbitrum and Avalanche, experienced a major exploit in its V1 protocol due to a re-entrancy vulnerability. An attacker bypassed access controls to manipulate the average short price of BTC, inflating the value of the GLP token and extracting approximately $40 million through a flash loan. The vulnerability stemmed from a cross-contract re-entrancy gap in the OrderBook contract. GMX responded quickly by pausing V1, securing funds, and recovering the stolen assets—minus a $5 million bug bounty awarded to the white-hat exploiter. The funds are now held by the GMX DAO, and a distribution plan is underway to compensate impacted users, while GMX V2 remains fully secure and operational.[1][2][3][4][5][6][7][8][9][10][11][12]

About GMX.io

GMX is a decentralized perpetual exchange that allows users to trade top cryptocurrencies like BTC, ETH, and AVAX with leverage up to 100x directly from their own wallets. The platform supports seamless trading via a simple swap interface, reducing the complexity of entering and exiting leveraged positions. It operates on both the Arbitrum and Avalanche blockchains, offering users the flexibility to trade on their preferred network. GMX emphasizes safety through its use of aggregated, high-quality price feeds to minimize liquidation risks caused by temporary price wicks.

The platform boasts impressive metrics, with a total trading volume exceeding $307 billion, open interest around $299 million, and over 715,000 users. GMX is designed to help traders save on costs with minimal spreads and low price impact, providing efficient execution without incurring unnecessary fees. Liquidity and governance are driven by three key tokens: GMX, GLV, and GM. Each token plays a unique role in the ecosystem, from fee accrual and liquidity provision to governance participation.

The GMX token serves as the utility and governance token, accruing a portion of market-generated fees, while GLV and GM function as liquidity provider tokens for the GMX V2 vaults and markets, respectively. These tokens offer competitive APYs, especially on Arbitrum and Avalanche, making them attractive for yield-seeking investors. The platform also maintains active community and support channels across social media and developer platforms like Twitter, Discord, and GitHub.

The Reality

Are-entrancy exploit vulnerability existed in the GMX V1 smart contract, which could allow an attacker to manipulate price calculations and extract inflated value from the protocol. While a function was protected with a nonReentrant modifier, it only prevented re-entrancy within the same contract. It did not protect against re-entrant calls across different contracts.

What Happened

GMX reported that approximately $40 million worth of GLP funds on Arbitrum were compromised due to a vulnerability in its GMX V1 smart contract.

Key Event Timeline - GMX V1 Cross-Contract Re-Entrancy Flash Loan Attack
Date Event Description
July 7th, 2025 5:40:19 AM MDT Attacker Wallet Funded The attacker's arbitrum wallet is first funded with ethereum.
July 9th, 2025 6:16:32 AM MDT Malicious Contract Deployment The malicious smart contract is deployed on the arbitrum blockchain.
July 9th, 2025 6:30:11 AM MDT Main Exploit Transaction The smart contract is exploited and $40m goes to the attacker.
July 9th, 2025 8:35:00 AM MDT Initial GMX Team Tweet GMX.io posts an initial announcement to acknowledge the exploit.
July 9th, 2025 8:45:00 AM MDT Potential Work-Around Released GMX releases a potential work-around to minimize the effects of the exploit.

Technical Details

The exploit involved a re-entrancy attack that allowed the attacker to manipulate the average short price of BTC and redeem GLP at a significantly inflated value.

The root cause of the GMX V1 vulnerability was identified as a re-entrancy attack, based on a detailed review conducted by GMX contributors, auditors, and security researchers. Specifically, the vulnerability stemmed from a function within the OrderBook contract that, despite using a nonReentrant modifier, was only protected against re-entrancy within the same contract. This oversight allowed an external call to the Vault contract’s increasePosition function, which under normal operations should only be accessible via the PositionRouter and PositionManager—components responsible for ensuring the correct calculation of the average short price.

By bypassing these controls through re-entrancy, the attacker was able to manipulate the average short price calculation for BTC. This manipulation dramatically lowered the average short price from over $109,000 to just $1,913.70. Since the GLP price is partially determined by the pending profit and loss (PnL), which is derived from the short position’s performance, the artificial reduction in the average short price created a massive discrepancy. The attacker exploited this by taking a flash loan to purchase GLP at its fair market price, then opening a massive short position.

This manipulation resulted in calculated short losses of over $859 million, which in turn inflated the GLP token price from $1.45 to over $27. The attacker then redeemed the previously purchased GLP at this manipulated, inflated value, extracting a significant amount of value from the protocol. This exploitation was made possible due to the unguarded cross-contract interaction, a common vulnerability in smart contract design, which highlights the critical importance of secure access controls and multi-contract audit coordination.

The exploit originated in the OrderBook contract, specifically in a function at line 874. While this function was protected with a nonReentrant modifier, it only prevented re-entrancy within the same contract. It did not protect against re-entrant calls across different contracts, which is where the flaw was exploited.

The attacker was able to use this loophole to re-enter the system and call the increasePosition function in the Vault contract directly. Under normal conditions, this function should only be callable by two specific contracts: PositionRouter and PositionManager. These components are essential for calculating the average short price, a value critical to determining unrealized profit and loss (PnL) for GLP holders.

Total Amount Lost

Losses were estimate as $40m.

"Due to the manipulated average short price, the short losses would be calculated as 15,385,676 * (1913.70 - 108,757.787) / 1913.70 = 859,000,107.173, where 108,757.787 represents the current BTC oracle price."

"This would lead to the GLP price being inflated to above $27, after which the attacker could redeem the minted GLP at this inflated price."

The total amount lost has been estimated at $40,000,000 USD.

Immediate Reactions

GMX took immediate security measures, including pausing V1 operations and securing the recovered assets by converting them to stablecoins and transferring them to the GMX Treasury on Arbitrum. V1 GLP minting and redemptions are now permanently disabled on Arbitrum, with only position closures allowed. On Avalanche, GLP minting has also been disabled, though redemptions remain open. GMX V2 was unaffected by this incident and continues to operate normally.

Ultimate Outcome

After negotiations and outreach, the funds were fully recovered and returned to the GMX DAO. A $5 million bug bounty was paid to the white-hat user responsible for disclosing the vulnerability, ensuring the safe return of assets. GMX expressed gratitude to its community, partners, and the security researcher involved, and reaffirmed its commitment to strengthening protocol security through its Immunefi bug bounty program and future upgrades.

A bounty of $5,000,000 USD was paid for the discovery.

Total Amount Recovered

Funds were recovered, except for the $5m bounty paid to the exploiter.

The total amount recovered has been estimated at $40,000,000 USD.

Ongoing Developments

The GMX DAO is preparing a detailed distribution plan to return funds to affected Arbitrum GLP holders. This includes evaluating options for reimbursement assets, considering potential treasury supplementation, and determining a fair distribution timeline. The DAO will make final decisions based on snapshot data of GLP AUM before and after the exploit.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. GMX - Rekt News (Accessed Jul 15, 2025)
  2. Initial Funding Transaction - Arbiscan (Accessed Jul 15, 2025)
  3. Malicious Contract Deployment - Arbiscan (Accessed Jul 15, 2025)
  4. Main Exploit Transaction - Arbiscan (Accessed Jul 15, 2025)
  5. GMX.io - "The GLP pool of GMX V1 on Arbitrum has experienced an exploit. Approximately $40M in tokens has been transferred from the GLP pool to an unknown wallet." - Twitter/X (Accessed Jul 15, 2025)
  6. GMX.io - "URGENT: for all GMX V1 forks, GMX V1 has been exploited." - Twitter/X (Accessed Jul 15, 2025)
  7. Latest Announcement on Telegram - GMX.io (Accessed Jul 15, 2025)
  8. GMX.io Homepage (Accessed Jul 15, 2025)
  9. GMX.io Linktree (Accessed Jul 15, 2025)
  10. GMX.io Announcement (Accessed Jul 15, 2025)
  11. GMX.io Twitter/X (Accessed Jul 15, 2025)
  12. https://x.com/TenArmorAlert/status/1945406534634311946 (Accessed Jul 25, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=GMX_V1_Cross-Contract_Re-Entrancy_Flash_Loan_Attack&oldid=6844"