There are always two sides to a coin, just like the cryptocurrency space. On one side, the market is going mainstream, with an adoption rate at its peak, as governments adopt it as a treasury asset. On the other side, cyber attacks and exploitation cases involving crypto are increasing.
On July 9, the leading decentralized perpetual exchange on Arbitrum, GMX fell victim to one of the latest hacks of this year so far, losing over $42 million. This was not a brute-force smash-and-grab but a well-planned, precision-engineered assault that revealed the weaknesses in the V1 platform of GMX. The incident revealed that as technology and security are getting advanced the hackers are getting smarter and they are continuously finding new ways to exploit platforms.
Let’s deep dive into the incident and find how exactly hackers exploited GMX and stole $42 million.
GMX faced a major security breach on Wednesday, which led to a loss of over $42 million worth of cryptocurrency assets. Just after the theft, the attackers had already started cleaning their stolen money through the known channels. The funds were later partially transferred from Arbitum to Ethereum blockchain, with an estimated amount of about $9.6 million, and this is a typical trend, where hackers use cross-chain bridges, and then they may transfer funds through privacy protocols such as Tornado Cash.
The stolen portfolio contains wrapped Bitcoin (WBTC), wrapped Ethereum (WETH), FRAX, LINK, USDC and USDT. All the assets, excluding FRAX have been converted for 11,700 ETH which is worth around $32.33 million.
In reaction to the hack, the GMX developers have gone to the unconventional measure of reaching out to the hacker directly via an on-chain message, promising a 10% white-hat bounty to the hacker should they voluntarily send back the stolen funds. This would handle the event as a possible security audit as opposed to an attack.
The GMX exploit adds to an already worrying trend of cryptocurrency security breaches. Blockchain security firm CertiK estimated that investors have lost around $2.5 billion to different hacks and scams in the first half of 2025, which also reveals the weaknesses of the decentralized finance ecosystem.
Following the onchain discussions with the GMX team, the hacker entity agreed to return stolen funds in exchange for a 10% white-hat bounty. Under the terms, GMX will not take any legal actions against the hacker nor will it hold anything against the hacker.
Meanwhile, the hacker entity would keep approximately $5 million to themselves and send remaining stolen funds to the GMX deployer address.
How GMX Exploited
The attacker targeted the V1 protocol of GMX, its GLP pool Smart contracts. The flaw? A design flaw in the way the protocol dealt with short positions and how it computed the values of the assets. When a user opened a short position, the contract would instantly change the global average price–not waiting until the market responded. This enabled the attacker to tamper with the calculations done by the system and withdraw money at artificially low prices.
The Slowmist, a blockchain security firm, disclosed that the cause of this attack was a design flaw in GMX v1. According to Slowmist the root cause was that the global short average prices would instantly be reflected in short position operations, directly affecting the calculation of Asset Under Management (AUM) and thus manipulating the pricing of the GLP token.
This design flaw was exploited by the attacker by using Keeper to activate the “timelock.enableLeverage” functionality in order execution (a precondition to opening a large number of short positions). By means of reentry attacks, the attacker managed to open a large number of short positions, control the global average price, artificially increase the price of GLP in one transaction, and earn money by redemption operations.
The GMX exploit reveals a bitter reality: the openness of DeFi, which is its great strength, is also its Achilles heel. Even after a thorough audit, smart contracts may have hidden bugs that even highly skilled attackers can take advantage of. This hack highlights the difficulty of tracking illegal funds in a decentralized system, making recovery more difficult with the use of Tornado Cash.
In the case of GMX, the way out is a thorough postmortem, which the team has promised to do, to identify the underlying cause and avoid repetition. The industry should focus on the proactive approach, frequent smart contract updates, in-time control, and standardized security procedures. DeFi platforms might work together to create best practices, which will minimize the area of attack by hackers
The GMX hack is the wake-up call of the DeFi industry. Platforms such as GMX have to ensure that they offer state of the art features with uncompromising security. To the users, the incident is a lesson to remain cautious, turn off leverage when there are vulnerabilities, and use official sources to get updates.
Although DeFi offers financial freedom, it requires constant attention to ensure that it does not fall into the hands of individuals who will take advantage of its openness. As the crypto community awaits what GMX will do next, there is one thing that is apparent, in the race to the future of DeFi, security should be at the forefront.