Skip to main content
Security

GMX V1 Suffers $42 Million Reentrancy Exploit on Arbitrum

A reentrancy vulnerability, introduced during a prior patch, allowed an attacker to manipulate price oracle logic and drain $42 million from GMX V1 liquidity pools.
September 23, 20253 min

A detailed, close-up view shows a light blue, textured surface forming a deep, circular indentation. A spherical object resembling a full moon floats centrally above this void, symbolizing a digital asset experiencing significant price action or 'mooning' within the DeFi landscape
A sophisticated, disassembled mechanical module, rendered in white, gray, and metallic blue, displays a luminous blue energy beam connecting its internal components. The foreground element, a precision-engineered disc, appears to detach from the main cylindrical structure, revealing the energetic core

Briefing

A critical reentrancy vulnerability in GMX V1’s smart contracts led to a sophisticated exploit in July 2025, resulting in the draining of approximately $42 million from its liquidity pools on the Arbitrum network. The attacker leveraged a flaw within the executeDecreaseOrder function, manipulating the protocol’s internal price calculations to artificially inflate GLP token values. This allowed the malicious actor to acquire GLP at a suppressed rate and redeem it for substantial profit, underscoring the severe financial risks inherent in unaudited code updates. The incident concluded with the attacker returning the majority of funds in exchange for a $5 million bounty.

The image presents a detailed, close-up view of a complex, futuristic mechanism featuring translucent, tube-like structures that house glowing blue internal components. These conduits appear to connect various metallic and dark blue elements, suggesting a system designed for intricate data or energy transfer

Context

Prior to this incident, the DeFi ecosystem has consistently faced a prevailing attack surface characterized by complex smart contract interactions and the introduction of new vulnerabilities through seemingly innocuous code changes. This specific exploit leveraged a vulnerability that emerged from a previous patch designed to address issues with non-atomic updates of global short positions and average short prices. The absence of a subsequent comprehensive audit on this fix created an exploitable window, highlighting the inherent risks of unverified modifications to critical protocol logic.

A detailed perspective showcases a futuristic technological apparatus, characterized by its transparent, textured blue components that appear to be either frozen liquid or a specialized cooling medium, intertwined with dark metallic structures. Bright blue light emanates from within and along the metallic edges, highlighting the intricate design and suggesting internal activity

Analysis

The incident’s technical mechanics centered on a reentrancy vulnerability within GMX V1’s executeDecreaseOrder function. The attacker deployed a malicious smart contract that, when called by the vulnerable function during the gas refund phase, regained control before the protocol’s state was fully updated. This re-entry allowed the attacker to exploit a circular dependency between global short positions, average short prices, Assets Under Management (AUM) calculations, and GLP token values. By manipulating the average BTC short price, the attacker could purchase GLP tokens at an artificially low price and redeem them at an inflated value, effectively draining $42 million from the protocol’s liquidity.

A white, glossy sphere with silver metallic accents is encircled by a smooth white ring, set against a dark grey background. Dynamic, translucent blue fluid-like structures surround and interact with the central sphere and ring, suggesting energetic movement

Parameters

  • Protocol Targeted ∞ GMX V1
  • Attack VectorReentrancy Exploit
  • Financial Impact ∞ $42 Million
  • Blockchain Affected ∞ Arbitrum
  • Vulnerability Origin ∞ Unaudited patch for previous vulnerability
  • Funds Recovered ∞ Bulk of funds returned for $5 Million bounty
  • Exploit Date ∞ July 2025

The image showcases tall, reflective rectangular structures emerging from a vast body of rippling water, flanked by dynamic white cloud formations and scattered blue particles. A prominent, textured white mass, resembling a complex brain or cloud, sits partially submerged in the water on the right

Outlook

This incident serves as a critical reminder for all DeFi protocols to implement rigorous, multi-layered security audits for every code change, no matter how minor, to prevent the introduction of new vulnerabilities. Immediate mitigation for users involves staying informed on protocol security announcements and understanding the risks associated with liquidity provision in complex DeFi instruments. For similar protocols, this event underscores the contagion risk of reentrancy flaws and the necessity of robust input validation and state management. The incident will likely reinforce best practices around continuous auditing, formal verification, and the careful management of legacy contracts, potentially establishing new industry standards for patch deployment and verification.

The GMX V1 reentrancy exploit unequivocally demonstrates that even mature DeFi protocols remain vulnerable to code-level flaws, particularly those introduced during unverified patches, necessitating an unyielding commitment to continuous security auditing and robust smart contract design.

Signal Acquired from ∞ Halborn Blog

Micro Crypto News Feeds

liquidity pools

Definition ∞ Liquidity pools are pools of digital assets locked in smart contracts, used to facilitate decentralized trading.

short positions

Definition ∞ Short Positions represent an investment strategy where a trader speculates on a decline in an asset's price.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

reentrancy

Definition ∞ Reentrancy is a security vulnerability in smart contracts that allows an attacker to repeatedly execute a function before the initial execution has completed.

blockchain

Definition ∞ A blockchain is a distributed, immutable ledger that records transactions across numerous interconnected computers.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

funds

Definition ∞ Funds, in the context of digital assets, refer to pools of capital pooled together for investment in cryptocurrencies, tokens, or other digital ventures.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

defi protocols

Definition ∞ DeFi protocols are decentralized applications that provide financial services without traditional intermediaries.

Tags:

Tags: