GMX was attacked, with the attacker exploiting a reentrancy vulnerability in the project's contract, gaining approximately $42 million.
Author: Beosin
Cover: GMX
GMX was attacked, with the attacker exploiting a reentrancy vulnerability in the project's contract, gaining approximately $42 million. The Beosin security team conducted a vulnerability analysis and fund tracking of this attack event, and will share the results as follows:
Detailed Attack Steps
The attacker first utilized the margin refund mechanism in the executeDecreaseOrder function of the OrderBook contract, launching a reentrancy attack to bypass the project's Timelock contract leverage switch:
Then, the attack used a flash loan to borrow USDC for staking and minting GLP, while increasing the BTC short position with USDC as margin, causing the GLPmanager contract's AUM value to be artificially high, which affects the GLP price calculation.
Finally, the attacker redeemed GLP at an abnormal price for profit and specified the exchange to other tokens.
Vulnerability Analysis
From the above attack process, we can see that the vulnerability exploitation reasons are as follows:
- Lack of reentrancy protection, allowing internal state modification during redemption.
- Redemption logic is complex, lacking sufficient security verification.
Although GMX underwent multiple security audits, this reentrancy vulnerability was still overlooked. If the redemption logic were subjected to stricter checks and potential reentrancy vulnerabilities were considered, such security incidents might have been avoided.
Stolen Funds Tracking
Beosin Trace tracked the stolen funds and discovered: The attacker's address 0x7d3bd50336f64b7a473c51f54e7f0bd6771cc355 gained approximately $42 million, subsequently exchanging stablecoins and Altcoins to ETH and USDC through multiple cross-chain protocols and transferring the stolen assets to the Ethereum network. Currently, approximately $32 million worth of ETH is stored in the following 4 Ethereum network addresses:
- 0xe9ad5a0f2697a3cf75ffa7328bda93dbaef7f7e7
- 0x69c965e164fa60e37a851aa5cd82b13ae39c1d95
- 0xa33fcbe3b84fb8393690d1e994b6a6adc256d8a3
- 0x639cd2fc24ec06be64aaf94eb89392bea98a6605
Approximately $10 million in assets are stored in the Arbitrum network address 0xdf3340a436c27655ba62f8281565c9925c3a5221. Beosin Trace has added the hacker-related addresses to the blacklist and will continue to track them.
Conclusion
The core of this attack lies in the reentrancy vulnerability in GMX's contract, allowing the attacker to redeem a large number of assets for profit through artificially inflated AUM values. For complex DeFi protocols like GMX, multi-dimensional and multi-layered security audits are needed, with thorough testing and review of contract code. Previously, the Beosin security team has completed security audits for multiple DeFi protocols (such as Surf Protocol, SyncSwap, LeverFi, Owlto Finance), focusing on discovering contract logic defects and potentially overlooked extreme scenarios, ensuring comprehensive detection of DeFi protocols.
Disclaimer: As a blockchain information platform, the articles published on this site represent only the personal views of the authors and guests, and are not related to Web3Caff's stance. The information in the article is for reference only and does not constitute any investment advice or offer. Please comply with the relevant laws and regulations of your country or region.
Welcome to join the Web3Caff official community: X(Twitter) Account | Web3Caff Research X(Twitter) Account | WeChat Reader Group | WeChat Official Account
