GMX was severely attacked today, with a wallet withdrawing approximately 42 million USD from its GLP liquidity provider. The exact method is still unclear, but the team has proposed a 10% bonus to the attacker if they return 90% of the funds.
Hackers transferred around 9.6 million USD from Arbitrum to Ethereum using Circle's CCTP, causing controversy. This is GMX's second major breach this year, and its token has dropped over 25% following the incident.
How was GMX hacked?
The crypto community has recently experienced several prominent attacks, and this trend shows no signs of slowing down. This morning, security monitoring agencies discovered a suspicious transaction on GMX, now believed to be a hack.
Through undetermined methods, a wallet funded by Tornado Cash withdrew approximately 42 million USD from GMX's liquidity provider (GLP).
GMX, the famous decentralized exchange, quickly responded to this major hack. Specifically, they disabled some user features related to trading, minting, and token swapping.
The company also encoded an on-chain message to the hackers, stating they would not take legal action if the hacker returns 90% of the stolen funds within 48 hours. The remaining 10% would be considered a form of bug bounty.
Additionally, GMX is investigating the exact cause of this hack, but no conclusive results are available yet. The company claims the damage is limited to GMX V1, and that V2, markets, other liquidity pools, and the GMX token are functioning normally.
However, the token has dropped over 35% and continues to decline since the hack occurred:
GMX price chart. Source: CoinGeckoUnfortunately, this is GMX's second major hack in 2025. In March, the company lost 13 million USD due to an attack that also caused GMX to drop 10%. If such serious breaches continue, it could damage the company's reputation.
ZachXBT, a famous crypto investigator, pointed out another weakness in the GMX hack. He noted that 9.6 million USD of the stolen funds were on the USDC blockchain for nearly two hours before the attacker used CCTP to transfer the money to Ethereum.
He attempted to mark the transaction and accused Circle of being irresponsible for not freezing these assets.
Besides this successful ETH transfer, the remaining approximately 33 million USD remains on Arbitrum. It is currently unclear whether the attacker can launder the remaining funds from the GMX hack.
