Security

GMX V1 Suffers Reentrancy Exploit, Draining $42 Million

A reentrancy vulnerability in GMX V1's smart contracts allowed an attacker to manipulate asset valuations, leading to significant liquidity drain.
September 29, 20253 min

A detailed, close-up view shows a light blue, textured surface forming a deep, circular indentation. A spherical object resembling a full moon floats centrally above this void, symbolizing a digital asset experiencing significant price action or 'mooning' within the DeFi landscape
Intertwined translucent conduits, filled with vibrant blue light or fluid, dominate the foreground, connecting to metallic cylindrical components. The surfaces of these conduits exhibit a frosted, textured appearance, suggesting dynamic processes within

Briefing

The GMX V1 decentralized finance protocol experienced a significant security incident in July 2025, where an attacker exploited a reentrancy vulnerability within its smart contracts. This critical flaw enabled the manipulation of asset under management (AUM) calculations, leading to the unauthorized draining of liquidity. The incident resulted in a total loss of $42 million from the protocol’s GLP liquidity pool.

A luminous, multifaceted crystal, glowing with blue light, is nestled within a dark, textured structure, partially covered by a white, granular substance. The central clear crystal represents a high-value digital asset, perhaps a core token or a non-fungible token NFT with significant utility

Context

Reentrancy has long been recognized as a foundational vulnerability within smart contract design, often arising from non-atomic state updates during external calls. Prior to this incident, the GMX V1 protocol had attempted to address a related bug concerning global short updates in 2022, but the subsequent fix was deployed without a comprehensive security audit, inadvertently introducing the new reentrancy vector. This oversight created an exploitable attack surface within a critical component of the protocol’s financial mechanics.

A translucent, melting ice formation sits precariously on a detailed blue electronic substrate, evoking the concept of frozen liquidity within the cryptocurrency ecosystem. This imagery highlights the fragility of digital asset markets and the potential for blockchain network disruptions

Analysis

The attack leveraged a reentrancy vulnerability within GMX V1’s executeDecreaseOrder function. This function, when processing a refund, transferred control to the attacker’s smart contract, allowing it to re-enter the vulnerable function before the protocol’s internal state was fully updated. Specifically, the attacker manipulated a circular dependency between global short positions, average short prices, and asset under management (AUM) calculations.

By repeatedly calling the function, the attacker updated the list of short positions but not the global average short price, creating an artificially low historical price. This distortion inflated AUM calculations and the perceived value of GLP tokens, enabling the attacker to redeem them for $42 million in underlying assets.

A close-up view reveals a dark blue circuit board populated with numerous silver electronic components and intricate conductive pathways. White vapor or clouds emanate from around a large central chip and its metallic heat sink structure, visually representing the intense processing power and data flow inherent in blockchain architecture

Parameters

  • Protocol Targeted → GMX V1
  • Attack Vector → Reentrancy Vulnerability
  • Financial Impact → $42 Million
  • Blockchain(s) Affected → Arbitrum (GLP pool)
  • Vulnerable Function → executeDecreaseOrder
  • Exploited Mechanism → GLP price calculation via AUM manipulation
  • Resolution → Attacker returned funds for a $5 Million bounty

A visually striking scene depicts two spherical, metallic structures against a deep gray backdrop. The foreground sphere is dramatically fracturing, emitting a luminous blue explosion of geometric fragments, while a smaller, ringed sphere floats calmly in the distance

Outlook

This incident underscores the critical necessity for rigorous and independent security audits of all smart contract modifications, regardless of their perceived scope. Protocols must adopt a “secure by design” philosophy, ensuring that even minor code changes undergo thorough verification to prevent the introduction of new vulnerabilities. For users, it reinforces the importance of monitoring protocol announcements and understanding the inherent risks associated with even established DeFi platforms. This event will likely prompt enhanced auditing standards for complex financial primitives and re-emphasize the need for robust reentrancy guards in all external calls.

The GMX V1 reentrancy exploit serves as a stark reminder that even mature DeFi protocols remain susceptible to fundamental smart contract vulnerabilities, necessitating continuous, comprehensive auditing and a proactive security posture to safeguard digital assets.

Signal Acquired from → Halborn

Micro Crypto News Feeds

asset under management

Definition ∞ Asset under Management, or AUM, denotes the total market value of all financial assets that an institution or individual manages on behalf of clients.

external calls

Definition ∞ External calls in smart contracts refer to interactions initiated by one smart contract with another contract or an external address.

short positions

Definition ∞ Short Positions represent an investment strategy where a trader speculates on a decline in an asset's price.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

financial

Definition ∞ Financial refers to matters concerning money, banking, investments, and credit.

price

Definition ∞ Price represents the monetary value assigned to an asset or service in exchange for other goods or services.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: