Security

GMX V1 Suffers $42 Million Reentrancy Exploit on Arbitrum

A reentrancy vulnerability, introduced during a prior patch, allowed an attacker to manipulate price oracle logic and drain $42 million from GMX V1 liquidity pools.
September 23, 20253 min

The image features dynamic, translucent blue and white fluid-like forms, with a prominent textured white mass on the left and a soft, out-of-focus white sphere floating above. Smaller, clear droplet-like elements are visible on the far right
The image showcases tall, reflective rectangular structures emerging from a vast body of rippling water, flanked by dynamic white cloud formations and scattered blue particles. A prominent, textured white mass, resembling a complex brain or cloud, sits partially submerged in the water on the right

Briefing

A critical reentrancy vulnerability in GMX V1’s smart contracts led to a sophisticated exploit in July 2025, resulting in the draining of approximately $42 million from its liquidity pools on the Arbitrum network. The attacker leveraged a flaw within the executeDecreaseOrder function, manipulating the protocol’s internal price calculations to artificially inflate GLP token values. This allowed the malicious actor to acquire GLP at a suppressed rate and redeem it for substantial profit, underscoring the severe financial risks inherent in unaudited code updates. The incident concluded with the attacker returning the majority of funds in exchange for a $5 million bounty.

The image showcases a dark, metallic "X" structure with bright silver accents and internal blue illumination, surrounded by translucent blue tendrils. These ethereal blue tendrils organically flow around and through the central "X" symbol, visually representing the dynamic transfer of digital assets or oracle data within a sophisticated blockchain architecture

Context

Prior to this incident, the DeFi ecosystem has consistently faced a prevailing attack surface characterized by complex smart contract interactions and the introduction of new vulnerabilities through seemingly innocuous code changes. This specific exploit leveraged a vulnerability that emerged from a previous patch designed to address issues with non-atomic updates of global short positions and average short prices. The absence of a subsequent comprehensive audit on this fix created an exploitable window, highlighting the inherent risks of unverified modifications to critical protocol logic.

The image displays vibrant blue, faceted crystalline structures, resembling precious gemstones, partially surrounded by soft, white, cloud-like material. These elements are contained within a translucent blue vessel, with additional white material spilling over its edges

Analysis

The incident’s technical mechanics centered on a reentrancy vulnerability within GMX V1’s executeDecreaseOrder function. The attacker deployed a malicious smart contract that, when called by the vulnerable function during the gas refund phase, regained control before the protocol’s state was fully updated. This re-entry allowed the attacker to exploit a circular dependency between global short positions, average short prices, Assets Under Management (AUM) calculations, and GLP token values. By manipulating the average BTC short price, the attacker could purchase GLP tokens at an artificially low price and redeem them at an inflated value, effectively draining $42 million from the protocol’s liquidity.

The image presents a detailed view of metallic engineering components partially submerged in a vibrant blue, bubbly, viscous substance. A prominent silver cylindrical element with a central pin is visible on the left, while block-like structures are partially obscured in the background

Parameters

  • Protocol Targeted → GMX V1
  • Attack VectorReentrancy Exploit
  • Financial Impact → $42 Million
  • Blockchain Affected → Arbitrum
  • Vulnerability Origin → Unaudited patch for previous vulnerability
  • Funds Recovered → Bulk of funds returned for $5 Million bounty
  • Exploit Date → July 2025

The image displays an abstract composition of metallic, cylindrical objects interspersed with voluminous clouds of white and blue smoke. A glowing, textured sphere resembling the moon is centrally positioned among the metallic forms

Outlook

This incident serves as a critical reminder for all DeFi protocols to implement rigorous, multi-layered security audits for every code change, no matter how minor, to prevent the introduction of new vulnerabilities. Immediate mitigation for users involves staying informed on protocol security announcements and understanding the risks associated with liquidity provision in complex DeFi instruments. For similar protocols, this event underscores the contagion risk of reentrancy flaws and the necessity of robust input validation and state management. The incident will likely reinforce best practices around continuous auditing, formal verification, and the careful management of legacy contracts, potentially establishing new industry standards for patch deployment and verification.

The GMX V1 reentrancy exploit unequivocally demonstrates that even mature DeFi protocols remain vulnerable to code-level flaws, particularly those introduced during unverified patches, necessitating an unyielding commitment to continuous security auditing and robust smart contract design.

Signal Acquired from → Halborn Blog

Micro Crypto News Feeds

liquidity pools

Definition ∞ Liquidity pools are pools of digital assets locked in smart contracts, used to facilitate decentralized trading.

short positions

Definition ∞ Short Positions represent an investment strategy where a trader speculates on a decline in an asset's price.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

reentrancy

Definition ∞ Reentrancy is a security vulnerability in smart contracts that allows an attacker to repeatedly execute a function before the initial execution has completed.

blockchain

Definition ∞ A blockchain is a distributed, immutable ledger that records transactions across numerous interconnected computers.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

funds

Definition ∞ Funds, in the context of digital assets, refer to pools of capital pooled together for investment in cryptocurrencies, tokens, or other digital ventures.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

defi protocols

Definition ∞ DeFi protocols are decentralized applications that provide financial services without traditional intermediaries.

Tags:

Tags: