- Decentralised futures exchange GMX got exploited.
- The exploiter attacked the first version of the protocol on Arbitrum.
- GMX is investigating the exploit.
A hacker exploited GMX, the decentralised perpetual futures exchange, on Wednesday, stealing $42 million worth of crypto from the platform.
At 1:34pm London time, a malicious actor transferred assets held by the protocol to another address. The exploiter then bridged about $9.6 million of the stolen funds from Arbitrum, where the hack took place, to Ethereum.
“Trading on GMX v1, and the minting and redeeming of GLP, have been disabled on both Arbitrum and Avalanche to prevent any further attack vectors and protect users from additional negative impacts,” GMX said in an X post. “Core contributors are investigating how the manipulation occurred, and what vulnerability may have enabled it.”
The exploit comes as a blow to GMX, which holds $500 million worth of user deposits. The protocol’s GMX token fell 28% in the aftermath, and now trades at $11.20.
The exploiter targeted GMX v1 on Arbitrum, which launched in 2021. Among the assets stolen was $10 million worth of Legacy Frax Dollars, $9.7 million worth of USDC, and smaller amounts of Wrapped Bitcoin and Ether, among others.
The attacker’s address was funded from the privacy protocol Tornado Cash, and deployed a malicious smart contract that drained the protocol, according to the security firm Cyvers.
It’s not the first time the v1 version of GMX has suffered an exploit. In September 2022, the protocol’s version on the Avalanche blockchain was hacked for $560,000.
White hat bounty
Around an hour after the attack, GMX sent an onchain message to the attacker’s address offering a 10% white-hat bounty for the return of the stolen funds within 48 hours.
It also assured users that v2 smart contracts were not impacted by the exploit, and that the attack was limited to v1 and its GLP pool. GLP acted as the liquidity pool for all trades, but this was modified in v2.
GMX upgraded to v2 in 2023, which now handles the bulk of trades. But the protocol left the v1 smart contracts live for anyone to use.
Other funds may still be at risk.
There is over $27 million held in GMX v1 forks currently, according to DefiLlama. Depending on the nature of the attack, these protocols could also face danger.
Forks are DeFi protocols that copy open-source code from an existing protocol, often with small changes or deployed on a different blockchain.
GMX says that it is working with its security partners to determine how the attack was conducted and will release a full incident report once all information is validated.
Zachary Rampone is a DeFi correspondent at DL News. Have a tip? Contact him at zrampone@dlnews.com.
