If there’s one thing we know, it's that no DeFi protocol or platform is 100% safe.
On July 9th, @GMX_IO Exchange V1 was hacked for $42M.
Here’s our breakdown below from @Blackthornxyz’s Lead Security Partner @panprog (including a crucial lesson for smart contract development) 👇🔎
The root of the exploit was a re-entrancy vulnerability in the GMX smart contracts, specifically within PositionManager.executeDecreaseOrder.
The Attack ⚔️:
From OrderBook.executeDecreaseOrder, the profit (in ETH) was sent directly to the user. This triggered the receiver contract’s receive() function before timelock.disableLeverage() was called.
That function is intended to prevent direct Vault calls by disabling leverage, but because of its delayed invocation, the attacker was able to bypass it.
Within this re-entrancy context, the attacker called the Vault directly to manipulate short positions. A critical line in PositionManager - responsible for updating ShortsTracker.globalShortAveragePrices - was skipped.
As a result, the attacker could artificially inflate Vault.globalShortSizes without updating the average short price, which led to incorrect AUM calculations and inflated the GLP price.
The Stealing of $42M funds💰:
The attacker first bought GLP for a lower price, then inflated it with re-entrancy loops, then sold the GLP back to the Vault at an inflated price. This drained nearly all tokens held in the Vault. Total haul: $42M in ETH, BTC, USDC, and more.
The Aftermath?
1) GMX halted all trading, minting, and redeeming for GLP on Arbitrum and Avalanche.
2) GMX V2 and other protocol components were not affected.
3) The attacker was offered a 10% white-hat bounty (approx. $4.2 million) if funds were returned within 48 hours.
As of the time of writing this post, the hacker has started returning funds to the GMX team after negotiating a payout 🙌. As security partners with GMX starting with their V2, we have been assisting with this situation & are delighted to hear this. We’re looking forward to continuing work with GMX in the future.
The Lessons 🎓:
✅ Ensure there’s no reentrancy possible, even if it looks harmless - Initially, GMX v1 allowed users direct interaction with the Vault…As such, the ability to interact with the Vault directly didn’t seem dangerous to many.
✅ Ensure there are sanity checks for quick change of value, such as token or share prices: revert execution if in a short time span price of any asset (like GLP in this instance) changes more than a certain percentage.
✅ Ensure there is strict off-chain monitoring in place for any suspicious patterns, possibly automatically halting trading in extreme situations. For example, if GLP price is outside some pre-defined range at any point in time, halt operations immediately to investigate.
Check out our blog for the full report 👇
4.98K
39
The content on this page is provided by third parties. Unless otherwise stated, OKX TR is not the author of the cited article(s) and does not claim any copyright in the materials. The content is provided for informational purposes only and does not represent the views of OKX TR. It is not intended to be an endorsement of any kind and should not be considered investment advice or a solicitation to buy or sell digital assets. To the extent generative AI is utilized to provide summaries or other information, such AI generated content may be inaccurate or inconsistent. Please read the linked article for more details and information. OKX TR is not responsible for content hosted on third party sites. Digital asset holdings, including stablecoins and NFTs, involve a high degree of risk and can fluctuate greatly. You should carefully consider whether trading or holding digital assets is suitable for you in light of your financial condition.