Security

GMX V1 Suffers $42 Million Reentrancy Exploit on Arbitrum

A reentrancy vulnerability, introduced during a prior patch, allowed an attacker to manipulate price oracle logic and drain $42 million from GMX V1 liquidity pools.
September 23, 20253 min

A detailed perspective showcases a high-tech module, featuring a prominent circular sensor with a brushed metallic surface, enveloped by a translucent blue protective layer. Beneath, multiple dark gray components are stacked upon a silver-toned base, with a bright blue connector plugged into its side
The image displays a transparent, glass-like molecular structure, featuring a central spherical component encased in metallic wires, connected to a branching network. Blue liquid or light fills the transparent material, creating a sense of dynamic flow within the structure

Briefing

A critical reentrancy vulnerability in GMX V1’s smart contracts led to a sophisticated exploit in July 2025, resulting in the draining of approximately $42 million from its liquidity pools on the Arbitrum network. The attacker leveraged a flaw within the executeDecreaseOrder function, manipulating the protocol’s internal price calculations to artificially inflate GLP token values. This allowed the malicious actor to acquire GLP at a suppressed rate and redeem it for substantial profit, underscoring the severe financial risks inherent in unaudited code updates. The incident concluded with the attacker returning the majority of funds in exchange for a $5 million bounty.

A polished metallic cylindrical component, featuring a dark nozzle and a delicate golden wire, precisely interacts with a vibrant blue, translucent fluid. The fluid appears to be actively channeled and shaped by the mechanism, creating a dynamic visual of flow and processing

Context

Prior to this incident, the DeFi ecosystem has consistently faced a prevailing attack surface characterized by complex smart contract interactions and the introduction of new vulnerabilities through seemingly innocuous code changes. This specific exploit leveraged a vulnerability that emerged from a previous patch designed to address issues with non-atomic updates of global short positions and average short prices. The absence of a subsequent comprehensive audit on this fix created an exploitable window, highlighting the inherent risks of unverified modifications to critical protocol logic.

A high-tech, white modular apparatus is depicted in a state of connection, with two primary sections slightly apart, showcasing complex internal mechanisms illuminated by intense blue light. A brilliant, pulsating blue energy stream, representing a secure data channel, actively links the two modules

Analysis

The incident’s technical mechanics centered on a reentrancy vulnerability within GMX V1’s executeDecreaseOrder function. The attacker deployed a malicious smart contract that, when called by the vulnerable function during the gas refund phase, regained control before the protocol’s state was fully updated. This re-entry allowed the attacker to exploit a circular dependency between global short positions, average short prices, Assets Under Management (AUM) calculations, and GLP token values. By manipulating the average BTC short price, the attacker could purchase GLP tokens at an artificially low price and redeem them at an inflated value, effectively draining $42 million from the protocol’s liquidity.

The image displays abstract, translucent, glass-like structures, with a prominent, sharply focused one in the foreground that bends and recedes into the background. Hints of vibrant blue elements, possibly representing flowing liquid or light, are visible within and behind these clear conduits

Parameters

  • Protocol Targeted → GMX V1
  • Attack VectorReentrancy Exploit
  • Financial Impact → $42 Million
  • Blockchain Affected → Arbitrum
  • Vulnerability Origin → Unaudited patch for previous vulnerability
  • Funds Recovered → Bulk of funds returned for $5 Million bounty
  • Exploit Date → July 2025

A detailed abstract render presents a dense arrangement of dark blue and grey modular blocks, interspersed with a vibrant, glowing blue cluster of small cubes. Two prominent white spheres and several smaller ones are positioned around this illuminated core, interconnected by white and black flexible conduits

Outlook

This incident serves as a critical reminder for all DeFi protocols to implement rigorous, multi-layered security audits for every code change, no matter how minor, to prevent the introduction of new vulnerabilities. Immediate mitigation for users involves staying informed on protocol security announcements and understanding the risks associated with liquidity provision in complex DeFi instruments. For similar protocols, this event underscores the contagion risk of reentrancy flaws and the necessity of robust input validation and state management. The incident will likely reinforce best practices around continuous auditing, formal verification, and the careful management of legacy contracts, potentially establishing new industry standards for patch deployment and verification.

The GMX V1 reentrancy exploit unequivocally demonstrates that even mature DeFi protocols remain vulnerable to code-level flaws, particularly those introduced during unverified patches, necessitating an unyielding commitment to continuous security auditing and robust smart contract design.

Signal Acquired from → Halborn Blog

Micro Crypto News Feeds

liquidity pools

Definition ∞ Liquidity pools are pools of digital assets locked in smart contracts, used to facilitate decentralized trading.

short positions

Definition ∞ Short Positions represent an investment strategy where a trader speculates on a decline in an asset's price.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

reentrancy

Definition ∞ Reentrancy is a security vulnerability in smart contracts that allows an attacker to repeatedly execute a function before the initial execution has completed.

blockchain

Definition ∞ A blockchain is a distributed, immutable ledger that records transactions across numerous interconnected computers.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

funds

Definition ∞ Funds, in the context of digital assets, refer to pools of capital pooled together for investment in cryptocurrencies, tokens, or other digital ventures.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

defi protocols

Definition ∞ DeFi protocols are decentralized applications that provide financial services without traditional intermediaries.

Tags:

Tags: