Veteran decentralized perpetual contract exchange GMX suffered a hacker attack on its V1 deployment on Arbitrum on July 9, with losses reaching $42 million. On the evening of July 10 Taiwan time, GMX published a detailed report on X platform, revealing the root cause of the attack, initial response measures, and subsequent plans.
Reasons for GMX Hack
According to GMX's official report, the attack occurred on July 9, 2025, at 12:30 PM (UTC). The attacker exploited a "re-entrancy attack" vulnerability in GMX V1 on Arbitrum by directly calling the increasePosition function in the Vault contract, bypassing the normal process of calculating average short prices through the PositionRouter and PositionManager contracts.
The attacker manipulated BTC's average short price from $109,505.77 to $1,913.70 and used a flash loan to purchase GLP (GMX liquidity token) at $1.45, opening a position worth $15.38 million, ultimately driving the GLP price above $27 and realizing massive profits.
The report indicates that the attack entry point was a function in the OrderBook contract. Although the function had a nonReentrant modifier, it could only prevent re-entrancy within the same contract and failed to block cross-contract attacks.
In response, GMX quickly took action after discovering the vulnerability, suspending trading on Avalanche to prevent further losses, and contacted Arbitrum, exchanges, bridge protocols, and stablecoin issuers (such as Circle, Tether, Frax) to track stolen funds, while simultaneously communicating with the attacker through on-chain messages.
Additionally, GMX confirmed that GMX V2 does not have similar vulnerabilities, as its average short price calculation and order execution are completed within the same contract.
Next Steps
To address the attack's aftermath and protect user interests, GMX proposed the following specific plans:
- Fund Allocation and Compensation Preparation: Currently, approximately $3.6 million in tokens in the GLP pool are reserved due to uncleared positions. The V1 fees of approximately $500,000 on Arbitrum (after deducting 30% automatically converted to GMX) will be transferred to the GMX DAO treasury for compensating affected GLP holders. Remaining funds on Arbitrum will be allocated to a compensation pool for affected GLP holders to claim.
- Disabling GLP Minting and Redemption: GLP minting and redemption on Arbitrum will be disabled. GLP minting on Avalanche will be disabled, but redemption will remain open to allow users flexibility.
- Position and Order Management: After disabling GLP redemption on Arbitrum, V1 position closure functions on Arbitrum and Avalanche will be enabled, allowing users to close existing positions. However, V1 opening functions will not be activated to prevent similar attacks. Existing V1 orders on Arbitrum and Avalanche will no longer be executed, and users must cancel all V1 orders manually.
- Subsequent Governance Discussion: GMX DAO will initiate governance discussions to plan further compensation measures, ensuring fair distribution of remaining funds and developing long-term prevention strategies.
- Supporting esGMX Staking: Users staking esGMX using GLP on Arbitrum and Avalanche can continue staking. Avalanche users can redeem GLP at any time, but if GLP is not used for staking, redemption is recommended.
- Recommendations for GMX V1 Forks: GMX urges all V1 fork projects to adopt two measures to prevent similar attacks: 1) Disable leverage functions; 2) Limit GLP minting.
