GMX’s $42M Hack: DeFi Security Wake-Up Call
On July 9, 2025, GMX, a prominent decentralized exchange (DEX) well-known for perpetual and spot trading, acknowledged a disastrous exploit of its V1 GLP pool on Arbitrum. More than $40 million worth of tokens were drained by hackers in a single transaction, depleting the platform’s liquidity drastically.
How the Attack Unfolded
It targeted the V1 GLP pool mechanism, taking advantage of GMX’s leverage system to mint artificial GLP tokens. Once the hacker inflated their position, they swapped the tokens for underlying assets, draining the pool of $42 million in cryptocurrency.
GMX acted quickly to halt trading on Avalanche and Arbitrum, freezing minting and redemption of GLP tokens as it investigated the breach. Curiously, the breach was localized in V1 and did not affect GMX V2 or its markets.
What Was Stolen?
The stolen funds were in a broad range of assets: ETH, USDC, DAI, UNI, WETH, LINK, and many more. Tornado Cash was also used in the attack in order to obscure the origin of the stolen funds. In terms of the stolen assets, $9.6 million was bridged to Ethereum, again making it harder to trace.
Audits and Oversight: A DeFi Paradox
GMX’s V1 contracts were thoroughly audited by firms like Quantstamp and ABDK Consulting, which examined potential risks like reentrancy and access controls. Yet neither audit captured the specific vulnerability the attacker exploited to manipulate the leverage mechanism. The oversight speaks to a common issue in decentralized finance (DeFi) security where audits catch generic vulnerabilities but often miss logic bugs specific to the protocol in question.
DeFi’s Future in Question
This exploit raises serious doubts about the reliability of even the most thoroughly audited DeFi protocols. GMX, a long-time leader in the space, has always relied on its security-by-audit model. But this hack calls into question whether DeFi projects can ever completely protect themselves from novel attack vectors.
GMX, in turn, offered the hacker a 10% bounty in an attempt to recover the stolen funds, something which speaks to the long-standing issue in DeFi security: negotiating with hackers in a bid to recover stolen money.
