Skip to main content
Security

GMX V1 Suffers Reentrancy Exploit, Draining $42 Million

A reentrancy vulnerability in GMX V1's smart contracts allowed an attacker to manipulate asset valuations, leading to significant liquidity drain.
September 29, 20253 min

A large, irregularly shaped object, half white and half blue, with translucent rings orbiting it, rests on a dark, reflective surface. White granular material is scattered around its base, set against a background of tall, reflective pillars
A prominent blue Bitcoin emblem with a white 'B' symbol is centrally displayed, surrounded by an intricate network of metallic and blue mechanical components. Blurred elements of this complex machinery fill the foreground and background, creating depth and focusing on the central cryptocurrency icon

Briefing

The GMX V1 decentralized finance protocol experienced a significant security incident in July 2025, where an attacker exploited a reentrancy vulnerability within its smart contracts. This critical flaw enabled the manipulation of asset under management (AUM) calculations, leading to the unauthorized draining of liquidity. The incident resulted in a total loss of $42 million from the protocol’s GLP liquidity pool.

A detailed perspective showcases sophisticated metallic gears and bearings, intricately positioned within a clear, fluid-filled enclosure. The vibrant blue liquid, teeming with numerous small bubbles, circulates around these precisely engineered components, highlighting their operational interaction

Context

Reentrancy has long been recognized as a foundational vulnerability within smart contract design, often arising from non-atomic state updates during external calls. Prior to this incident, the GMX V1 protocol had attempted to address a related bug concerning global short updates in 2022, but the subsequent fix was deployed without a comprehensive security audit, inadvertently introducing the new reentrancy vector. This oversight created an exploitable attack surface within a critical component of the protocol’s financial mechanics.

Intricate white and dark metallic modular components connect, revealing vibrant blue internal illuminations signifying active data flow. Wisps of white vapor emanate, suggesting intense processing and efficient cooling within this advanced system

Analysis

The attack leveraged a reentrancy vulnerability within GMX V1’s executeDecreaseOrder function. This function, when processing a refund, transferred control to the attacker’s smart contract, allowing it to re-enter the vulnerable function before the protocol’s internal state was fully updated. Specifically, the attacker manipulated a circular dependency between global short positions, average short prices, and asset under management (AUM) calculations.

By repeatedly calling the function, the attacker updated the list of short positions but not the global average short price, creating an artificially low historical price. This distortion inflated AUM calculations and the perceived value of GLP tokens, enabling the attacker to redeem them for $42 million in underlying assets.

The image displays an abstract composition of flowing, undulating forms in shades of deep blue, light blue, and white. These layered structures create a sense of dynamic movement and depth, with glossy surfaces reflecting light

Parameters

  • Protocol Targeted ∞ GMX V1
  • Attack Vector ∞ Reentrancy Vulnerability
  • Financial Impact ∞ $42 Million
  • Blockchain(s) Affected ∞ Arbitrum (GLP pool)
  • Vulnerable Function ∞ executeDecreaseOrder
  • Exploited Mechanism ∞ GLP price calculation via AUM manipulation
  • Resolution ∞ Attacker returned funds for a $5 Million bounty

A luminous, multifaceted crystal, glowing with blue light, is nestled within a dark, textured structure, partially covered by a white, granular substance. The central clear crystal represents a high-value digital asset, perhaps a core token or a non-fungible token NFT with significant utility

Outlook

This incident underscores the critical necessity for rigorous and independent security audits of all smart contract modifications, regardless of their perceived scope. Protocols must adopt a “secure by design” philosophy, ensuring that even minor code changes undergo thorough verification to prevent the introduction of new vulnerabilities. For users, it reinforces the importance of monitoring protocol announcements and understanding the inherent risks associated with even established DeFi platforms. This event will likely prompt enhanced auditing standards for complex financial primitives and re-emphasize the need for robust reentrancy guards in all external calls.

The GMX V1 reentrancy exploit serves as a stark reminder that even mature DeFi protocols remain susceptible to fundamental smart contract vulnerabilities, necessitating continuous, comprehensive auditing and a proactive security posture to safeguard digital assets.

Signal Acquired from ∞ Halborn

Micro Crypto News Feeds

asset under management

Definition ∞ Asset under Management, or AUM, denotes the total market value of all financial assets that an institution or individual manages on behalf of clients.

external calls

Definition ∞ External calls in smart contracts refer to interactions initiated by one smart contract with another contract or an external address.

short positions

Definition ∞ Short Positions represent an investment strategy where a trader speculates on a decline in an asset's price.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

financial

Definition ∞ Financial refers to matters concerning money, banking, investments, and credit.

price

Definition ∞ Price represents the monetary value assigned to an asset or service in exchange for other goods or services.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: