Crypto Exchange GMX Drained of Bitcoin, Ethereum in $40 Million Exploit

GMX, a cross-chain decentralized exchange specializing in perpetual futures trading, warned on Wednesday that an initial version of its platform was exploited.

Roughly $40 million worth of tokens were siphoned from GMX V1, which debuted on the Ethereum layer-2 scaling network Arbitrum in 2021, to an unknown wallet, GMX said on X. In response, GMX V1 trading was disabled, alongside the minting and redeeming of GMX’s GLP token on Arbitrum and the layer-1 network Avalanche, GMX said.

GMX was recently changing hands around $11.19, a nearly 21% drop over the past day, according to crypto data provider CoinGecko. GMX’s GLP token is designed to allow purchasers to earn fees in Ethereum or Avalanche from users’ activity on the exchange by effectively providing liquidity.

Investors can swap assets like Bitcoin and Ethereum for GLP tokens through GMX’s website, and those funds are then pooled together. In theory, GLP holders are able to sell the token back to GMX for assets in the liquidity pool—but most of those funds went missing on Wednesday.

That included around $10 million worth of Bitcoin, $10 million worth of Circle’s USDC stablecoin, $8.5 million worth of Ethereum, around $1 million worth of Tether’s USDT stablecoin, as well as substantial amounts of the Uniswap and Chainlink tokens, according to a dashboard on GMX’s website.

As the amount of money in the GLP liquidity pool plummeted on Wednesday, the supply of GLP tokens increased. Suhail Kakar, who leads developer relations for TAC, wrote on X that the exploit appears to be a “re-entrancy” attack that abused the logic behind minting GLP tokens.

“The attacker could trick the contract into thinking they hadn’t withdrawn anything—and mint more tokens repeatedly, using the same base funds,” Kakar explained. “This wasn’t a smash-and-grab. It was a long-planned, precision hit.”

Kakar, along with the blockchain security and data analytics firm PeckShield, noted that the attacker’s wallet was funded days before via Tornado Cash, the Ethereum coin mixer that the U.S. government previously sanctioned for its alleged use in money laundering.

GMX advised users on X to disable leverage trading and GLP minting. PeckShield said the vulnerability likely applies to forked versions of GMX, urging them to take caution as well.

Re-entrancy vulnerabilities allow an attacker to cram multiple calls—or interactions with a smart contract, which holds the code that powers decentralized apps—into a single function, tricking a smart contract into calculating an improper balance. One of the most prominent examples was the $55 million 2016 DAO hack on Ethereum.

Wednesday’s exploit is distinct from Bybit’s $1.4 billion loss in February, in which a developer’s workstation was compromised, ultimately leading to the largest crypto hack of all time.

Within GMX’s official Telegram channel, some users wondered whether GLP token investors would be refunded. On X, GMX said it plans on posting a detailed postmortem once the project’s investigation is complete. 

In a message sent to the attacker on-chain, GMX offered a “10% white-hat bounty,” equating to $4 million. Urging a “swift and ethical resolution,” the project said it would pursue no further legal action if the “funds are returned within 48 hours.”