Security

GMX V1 Suffers Reentrancy Exploit, Draining $42 Million

A reentrancy vulnerability in GMX V1's smart contracts allowed an attacker to manipulate asset valuations, leading to significant liquidity drain.
September 29, 20253 min

A translucent, melting ice formation sits precariously on a detailed blue electronic substrate, evoking the concept of frozen liquidity within the cryptocurrency ecosystem. This imagery highlights the fragility of digital asset markets and the potential for blockchain network disruptions
A translucent blue, wavy, fluid-like structure dominates the center, flowing around and encompassing several metallic, geometric silver components. The background is softly blurred, revealing abstract shapes in varying shades of blue and gray, suggesting depth and a complex underlying system of digital infrastructure

Briefing

The GMX V1 decentralized finance protocol experienced a significant security incident in July 2025, where an attacker exploited a reentrancy vulnerability within its smart contracts. This critical flaw enabled the manipulation of asset under management (AUM) calculations, leading to the unauthorized draining of liquidity. The incident resulted in a total loss of $42 million from the protocol’s GLP liquidity pool.

Three textured, translucent blocks, varying in height and displaying a blue gradient, stand in rippled water under a full moon. The blocks transition from clear at the top to deep blue at their base, reflecting in the surrounding liquid

Context

Reentrancy has long been recognized as a foundational vulnerability within smart contract design, often arising from non-atomic state updates during external calls. Prior to this incident, the GMX V1 protocol had attempted to address a related bug concerning global short updates in 2022, but the subsequent fix was deployed without a comprehensive security audit, inadvertently introducing the new reentrancy vector. This oversight created an exploitable attack surface within a critical component of the protocol’s financial mechanics.

A segmented spherical object, resembling a futuristic planet with two distinct orbital rings, is prominently displayed against a muted blue background. Its surface is composed of geometric white panels detailed with vents and recesses, revealing vibrant blue and white cloud-like formations emanating from within its core and crevices

Analysis

The attack leveraged a reentrancy vulnerability within GMX V1’s executeDecreaseOrder function. This function, when processing a refund, transferred control to the attacker’s smart contract, allowing it to re-enter the vulnerable function before the protocol’s internal state was fully updated. Specifically, the attacker manipulated a circular dependency between global short positions, average short prices, and asset under management (AUM) calculations.

By repeatedly calling the function, the attacker updated the list of short positions but not the global average short price, creating an artificially low historical price. This distortion inflated AUM calculations and the perceived value of GLP tokens, enabling the attacker to redeem them for $42 million in underlying assets.

A pristine white sphere, its lower half transitioning into a vibrant blue gradient, rests centrally amidst a formation of granular white and blue material, accompanied by a large translucent blue crystal shard. This entire arrangement floats on a dark, rippled water surface, creating a serene yet dynamic visual

Parameters

  • Protocol Targeted → GMX V1
  • Attack Vector → Reentrancy Vulnerability
  • Financial Impact → $42 Million
  • Blockchain(s) Affected → Arbitrum (GLP pool)
  • Vulnerable Function → executeDecreaseOrder
  • Exploited Mechanism → GLP price calculation via AUM manipulation
  • Resolution → Attacker returned funds for a $5 Million bounty

The image displays a complex abstract composition featuring a prominent mass of deep blue, textured material partially covered by fluffy white particles. A sleek, reflective silver object cuts through this blue and white structure, accompanied by thin, arcing silver wires and a small, mottled white sphere

Outlook

This incident underscores the critical necessity for rigorous and independent security audits of all smart contract modifications, regardless of their perceived scope. Protocols must adopt a “secure by design” philosophy, ensuring that even minor code changes undergo thorough verification to prevent the introduction of new vulnerabilities. For users, it reinforces the importance of monitoring protocol announcements and understanding the inherent risks associated with even established DeFi platforms. This event will likely prompt enhanced auditing standards for complex financial primitives and re-emphasize the need for robust reentrancy guards in all external calls.

The GMX V1 reentrancy exploit serves as a stark reminder that even mature DeFi protocols remain susceptible to fundamental smart contract vulnerabilities, necessitating continuous, comprehensive auditing and a proactive security posture to safeguard digital assets.

Signal Acquired from → Halborn

Micro Crypto News Feeds

asset under management

Definition ∞ Asset under Management, or AUM, denotes the total market value of all financial assets that an institution or individual manages on behalf of clients.

external calls

Definition ∞ External calls in smart contracts refer to interactions initiated by one smart contract with another contract or an external address.

short positions

Definition ∞ Short Positions represent an investment strategy where a trader speculates on a decline in an asset's price.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

financial

Definition ∞ Financial refers to matters concerning money, banking, investments, and credit.

price

Definition ∞ Price represents the monetary value assigned to an asset or service in exchange for other goods or services.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: