Skip to main content
Security

GMX V1 Suffers Reentrancy Exploit, Draining $42 Million

A reentrancy vulnerability in GMX V1's smart contracts allowed an attacker to manipulate asset valuations, leading to significant liquidity drain.
September 29, 20253 min

A large, irregularly shaped object, half white and half blue, with translucent rings orbiting it, rests on a dark, reflective surface. White granular material is scattered around its base, set against a background of tall, reflective pillars
The image displays a complex abstract composition featuring a prominent mass of deep blue, textured material partially covered by fluffy white particles. A sleek, reflective silver object cuts through this blue and white structure, accompanied by thin, arcing silver wires and a small, mottled white sphere

Briefing

The GMX V1 decentralized finance protocol experienced a significant security incident in July 2025, where an attacker exploited a reentrancy vulnerability within its smart contracts. This critical flaw enabled the manipulation of asset under management (AUM) calculations, leading to the unauthorized draining of liquidity. The incident resulted in a total loss of $42 million from the protocol’s GLP liquidity pool.

The Ethereum logo is prominently displayed on a detailed blue circuit board, enveloped by a complex arrangement of blue wires. This imagery illustrates the sophisticated infrastructure of the Ethereum blockchain, emphasizing its decentralized nature and interconnected systems

Context

Reentrancy has long been recognized as a foundational vulnerability within smart contract design, often arising from non-atomic state updates during external calls. Prior to this incident, the GMX V1 protocol had attempted to address a related bug concerning global short updates in 2022, but the subsequent fix was deployed without a comprehensive security audit, inadvertently introducing the new reentrancy vector. This oversight created an exploitable attack surface within a critical component of the protocol’s financial mechanics.

A visually striking scene depicts two spherical, metallic structures against a deep gray backdrop. The foreground sphere is dramatically fracturing, emitting a luminous blue explosion of geometric fragments, while a smaller, ringed sphere floats calmly in the distance

Analysis

The attack leveraged a reentrancy vulnerability within GMX V1’s executeDecreaseOrder function. This function, when processing a refund, transferred control to the attacker’s smart contract, allowing it to re-enter the vulnerable function before the protocol’s internal state was fully updated. Specifically, the attacker manipulated a circular dependency between global short positions, average short prices, and asset under management (AUM) calculations.

By repeatedly calling the function, the attacker updated the list of short positions but not the global average short price, creating an artificially low historical price. This distortion inflated AUM calculations and the perceived value of GLP tokens, enabling the attacker to redeem them for $42 million in underlying assets.

The composition features abstract, flowing structures in shades of blue, white, and silver, with translucent strands connecting more solid, layered components. These elements create a dynamic visual of interconnected digital architecture against a light grey background

Parameters

  • Protocol Targeted ∞ GMX V1
  • Attack Vector ∞ Reentrancy Vulnerability
  • Financial Impact ∞ $42 Million
  • Blockchain(s) Affected ∞ Arbitrum (GLP pool)
  • Vulnerable Function ∞ executeDecreaseOrder
  • Exploited Mechanism ∞ GLP price calculation via AUM manipulation
  • Resolution ∞ Attacker returned funds for a $5 Million bounty

A close-up view presents an intricate mechanical component, featuring polished silver and grey metallic elements, partially submerged in a luminous blue, viscous liquid topped with light blue foam. The liquid forms a radial, web-like pattern around a central circular bearing, integrating seamlessly with the metallic structure's spokes

Outlook

This incident underscores the critical necessity for rigorous and independent security audits of all smart contract modifications, regardless of their perceived scope. Protocols must adopt a “secure by design” philosophy, ensuring that even minor code changes undergo thorough verification to prevent the introduction of new vulnerabilities. For users, it reinforces the importance of monitoring protocol announcements and understanding the inherent risks associated with even established DeFi platforms. This event will likely prompt enhanced auditing standards for complex financial primitives and re-emphasize the need for robust reentrancy guards in all external calls.

The GMX V1 reentrancy exploit serves as a stark reminder that even mature DeFi protocols remain susceptible to fundamental smart contract vulnerabilities, necessitating continuous, comprehensive auditing and a proactive security posture to safeguard digital assets.

Signal Acquired from ∞ Halborn

Micro Crypto News Feeds

asset under management

Definition ∞ Asset under Management, or AUM, denotes the total market value of all financial assets that an institution or individual manages on behalf of clients.

external calls

Definition ∞ External calls in smart contracts refer to interactions initiated by one smart contract with another contract or an external address.

short positions

Definition ∞ Short Positions represent an investment strategy where a trader speculates on a decline in an asset's price.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

financial

Definition ∞ Financial refers to matters concerning money, banking, investments, and credit.

price

Definition ∞ Price represents the monetary value assigned to an asset or service in exchange for other goods or services.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: