USDGMX V1 Exploit Leads to Over $40M Loss, Partial Fund Return, and Protocol Shakeup
Security Flaws, ETH Timing Gains, and DeFi Fallout from July’s High-Profile Attack
A critical vulnerability in GMX V1, the decentralized derivatives exchange built on Arbitrum and Avalanche, led to one of the largest DeFi exploits this year. On July 9, 2025, an attacker drained approximately $42 million in digital assets, triggering a cascade of technical responses, fund recovery efforts, and debates about white-hat ethics. The exploit was traced to a smart contract architecture flaw involving a re-entrancy issue that allowed the attacker to manipulate token prices and siphon funds through flash loan positions. Although a nonReentrant modifier existed, it failed to cover interactions between contracts, particularly allowing manipulation between the Vault and GLP pricing logic.
The attacker strategically manipulated the GLP token price by exploiting the average BTC short price. By dragging BTC short prices down to $1,913.70 and inflating GLP’s value to $27, the attacker redeemed overvalued tokens to drain the vault. The exploit affected only GMX V1, sparing GMX V2, the GMX token, and associated liquidity pools. Over $42 million was stolen in ETH, BTC, FRAX, and DAI. The attacker initially parked the assets in a single wallet before bridging them from Arbitrum to Ethereum mainnet—a common tactic for laundering stolen crypto. They eventually swapped $32 million into 11,700 ETH when it was priced at $2,600, benefiting from the token’s subsequent rally to above $3,000, which pushed the stash to roughly $35 million and netted a $3 million gain.
Within 48 hours, GMX publicly acknowledged the incident and offered a 10% white-hat bounty, around $5 million, in exchange for the return of funds and a promise of no law enforcement involvement. The attacker responded with an on-chain message hinting at a possible return and followed through by sending back 5 million FRAX. Ultimately, they returned approximately $37.5 million in total—including about 9,000 ETH and 10.5 million FRAX—while retaining roughly $5 million, citing the market gain as part of their compliance. Funds were returned to the GMX Security Committee Multisig wallet, with security firms confirming the transfers. GMX acknowledged the return but moved quickly to contain the situation, halting all GLP minting and redemptions and pausing trading on Avalanche.
Daily fees in GLP pools surged to $717,000 during the peak of exploit activity, further compounding the disruption. GMX’s total value locked (TVL) plunged from over $480 million to $409.27 million, and its token price tumbled by 30% to $13.28. Some market confidence was later restored after the partial fund return, with the GMX token bouncing 14%. Despite the damage, the protocol reiterated that GMX V2, its liquidity pools, and token were unaffected, urging users to cancel open orders and disable leverage on V1 as the project winds down the affected version.
The broader impact extends far beyond GMX. This incident added to a staggering $2.5 billion lost to crypto hacks in the first half of 2025 alone, with other major attacks hitting Bybit for $1.4 billion and Nobitex for $81 million. The event reignited debate over DeFi security standards and the ethics surrounding white-hat negotiations. Critics questioned whether hackers should be rewarded with profits from market timing even if they return funds. The delayed response from stablecoin issuers like Circle also drew scrutiny, as the attacker managed to swap and move assets before blacklists could be implemented.
Security firms like PeckShield confirmed that $37.5 million in stolen assets were returned, but the technical weakness—a failure to extend re-entrancy protections across contracts—remains a key concern for all projects using similar architectures.
The exploit has underscored the fragility of certain DeFi frameworks and the speed at which vulnerabilities can be weaponized for massive gain. With the crypto price index still adjusting to shockwaves from the incident, and fluctuations continuing across major protocols, the coin market cap of GMX and similar projects will likely remain volatile as the ecosystem digests lessons from one of the year’s most significant breaches.
This article has been refined and enhanced by ChatGPT.
