Security

GMX V1 Suffers Reentrancy Exploit, Draining $42 Million

A reentrancy vulnerability in GMX V1's smart contracts allowed an attacker to manipulate asset valuations, leading to significant liquidity drain.
September 29, 20253 min

The image displays a close-up of a translucent blue tubular structure, containing a white, granular substance flowing along its interior. Blurred abstract blue and white forms are visible in the background, suggesting a complex network
A sophisticated, futuristic machine composed of interconnected white and metallic modules is depicted, with a vibrant blue liquid or energy vigorously flowing and splashing within an exposed central segment. Internal mechanisms are visible, propelling the dynamic blue substance through the system

Briefing

The GMX V1 decentralized finance protocol experienced a significant security incident in July 2025, where an attacker exploited a reentrancy vulnerability within its smart contracts. This critical flaw enabled the manipulation of asset under management (AUM) calculations, leading to the unauthorized draining of liquidity. The incident resulted in a total loss of $42 million from the protocol’s GLP liquidity pool.

A gleaming, futuristic modular device, encrusted with frost, splits open to reveal an internal core emitting a vibrant burst of blue and white particles, symbolizing intense computational activity. This powerful imagery can represent a critical component of Web3 infrastructure, perhaps a blockchain node undergoing significant transaction validation or a decentralized network processing a complex consensus mechanism

Context

Reentrancy has long been recognized as a foundational vulnerability within smart contract design, often arising from non-atomic state updates during external calls. Prior to this incident, the GMX V1 protocol had attempted to address a related bug concerning global short updates in 2022, but the subsequent fix was deployed without a comprehensive security audit, inadvertently introducing the new reentrancy vector. This oversight created an exploitable attack surface within a critical component of the protocol’s financial mechanics.

A detailed view presents interconnected modular components, featuring a vibrant blue, translucent substance flowing through channels. This intricate system visually represents advanced blockchain architecture, where on-chain data flow and digital asset transfer are dynamically managed across a decentralized ledger

Analysis

The attack leveraged a reentrancy vulnerability within GMX V1’s executeDecreaseOrder function. This function, when processing a refund, transferred control to the attacker’s smart contract, allowing it to re-enter the vulnerable function before the protocol’s internal state was fully updated. Specifically, the attacker manipulated a circular dependency between global short positions, average short prices, and asset under management (AUM) calculations.

By repeatedly calling the function, the attacker updated the list of short positions but not the global average short price, creating an artificially low historical price. This distortion inflated AUM calculations and the perceived value of GLP tokens, enabling the attacker to redeem them for $42 million in underlying assets.

A sleek, white and metallic satellite-like structure, adorned with blue solar panels, emits voluminous white cloud-like plumes from its central axis and body against a dark background. This detailed rendering captures a high-tech apparatus engaged in significant activity, with its intricate components and energy collectors clearly visible

Parameters

  • Protocol Targeted → GMX V1
  • Attack Vector → Reentrancy Vulnerability
  • Financial Impact → $42 Million
  • Blockchain(s) Affected → Arbitrum (GLP pool)
  • Vulnerable Function → executeDecreaseOrder
  • Exploited Mechanism → GLP price calculation via AUM manipulation
  • Resolution → Attacker returned funds for a $5 Million bounty

A detailed macro shot presents a complex, translucent mechanical component, featuring a central metallic core surrounded by clear fluid containing numerous bubbles. The outer structure is a vibrant blue, suggesting a dynamic, high-tech system in operation against a dark, blurred background

Outlook

This incident underscores the critical necessity for rigorous and independent security audits of all smart contract modifications, regardless of their perceived scope. Protocols must adopt a “secure by design” philosophy, ensuring that even minor code changes undergo thorough verification to prevent the introduction of new vulnerabilities. For users, it reinforces the importance of monitoring protocol announcements and understanding the inherent risks associated with even established DeFi platforms. This event will likely prompt enhanced auditing standards for complex financial primitives and re-emphasize the need for robust reentrancy guards in all external calls.

The GMX V1 reentrancy exploit serves as a stark reminder that even mature DeFi protocols remain susceptible to fundamental smart contract vulnerabilities, necessitating continuous, comprehensive auditing and a proactive security posture to safeguard digital assets.

Signal Acquired from → Halborn

Micro Crypto News Feeds

asset under management

Definition ∞ Asset under Management, or AUM, denotes the total market value of all financial assets that an institution or individual manages on behalf of clients.

external calls

Definition ∞ External calls in smart contracts refer to interactions initiated by one smart contract with another contract or an external address.

short positions

Definition ∞ Short Positions represent an investment strategy where a trader speculates on a decline in an asset's price.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

financial

Definition ∞ Financial refers to matters concerning money, banking, investments, and credit.

price

Definition ∞ Price represents the monetary value assigned to an asset or service in exchange for other goods or services.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: