GMX hack analysis: $42 million evaporated in an instant

07-11

This article is machine translated

Show original

On July 9, 2025, according to the MistEye security monitoring system by SlowMist, the well-known decentralized trading platform GMX (@GMX_IO) was attacked, losing assets worth over $42 million. **Author:** Ninety-nine, Kong, Lisa **Editor:** Liz ## Background On July 9, 2025, according to the MistEye security monitoring system by SlowMist, the well-known decentralized trading platform GMX (@GMX_IO) was attacked, losing assets worth over $42 million. The SlowMist security team immediately analyzed the incident and organized the results as follows: ## Related Information Attacker's Address: https://arbiscan.io/address/0xdf3340a436c27655ba62f8281565c9925c3a5221 Attack Contract Address: https://arbiscan.io/address/0x7d3bd50336f64b7a473c51f54e7f0bd6771cc355 Vulnerable Contract Address: https://arbiscan.io/address/0x3963ffc9dff443c2a94f21b129d429891e32ec18 Attack Transaction: https://arbiscan.io/tx/0x03182d3f0956a91c4e4c8f225bbc7975f9434fab042228c7acdc5ec9a32626ef ## Root Cause The root causes of this attack are primarily two points: First, when creating a Short position in GMX v1, the global Short average price (globalShortAveragePrices) is updated, but when closing a Short position, no update is made. Second, GMX v1 immediately increases the global Short position size (globalShortSizes) when handling Short positions. These two factors directly affect the calculation of total asset value (AUM), thereby manipulating the GLP token price. The attacker exploited this design flaw by using the Keeper's order execution feature that enables `timelock.enableLeverage` (a necessary condition for creating large Short orders), successfully creating a large Short position through re-entrancy, manipulating the global average price and global Short position size, artificially raising the GLP price in a single transaction, and profiting through redemption. [The rest of the translation follows the same professional and precise approach, maintaining technical terminology and preserving the original structure.]

The global Short sizes (globalShortSizes) and global Short average price (getGlobalShortAveragePrice) of WBTC are 15373061114092959107000000000000000 and 1913705482286167437447414747675542, respectively.

Next, the attack contract calls the increasePosition function of the Vault contract, transferring USDC into the Vault and creating a large WBTC Short position worth 15.385 million.

At the end of the increasePosition function, this newly opened large Short position will be used to update the global Short position size, immediately increasing the global Short position size (globalShortSizes).

Then, after completing the large Short position, the attack contract immediately called the unstakeAndRedeemGlp function to unstake and redeem GLP tokens.

However, here we can see that only 386,000 GLP tokens were redeemed, but 9.731 million USDG tokens were burned, and finally 88 WBTC were transferred to the attack contract. Why is this? Let's continue to trace to the _removeLiquidity function of the GlpManager contract:

When a user performs a GLP token redemption, the function calculates the number of USDG tokens to be burned using the formula: usdgAmount = _glpAmount * aumInUsdg / glpSupply. Then these USDG will be transferred to the Vault to sell and exchange back to the assets the user wants to redeem (WBTC). The AUM calculation is roughly as follows:

aum = ((totalPoolAmounts - totalReservedAmounts) * price) + totalGuaranteedUsd + GlobalShortLoss - GlobalShortProfits - aumDeduction

Due to the creation of a large Short position in the previous step, the global Short position size was increased, and because the global average price (getGlobalShortAveragePrice) was previously manipulated to be far lower than the normal price, this Short position is at a loss (i.e., hasProfit is false), thereby increasing the GlobalShortLoss by hundreds of times, causing the AUM to be manipulated and amplified (aum + delta). Ultimately, the attacker used the manipulated AUM to redeem assets beyond the normal quantity.

Finally, the attacker continued to use the manipulated AUM to repeatedly call the unstakeAndRedeemGlp function to redeem other assets from the Vault for profit.

MistTrack Analysis

According to the on-chain anti-money laundering and tracking tool MistTrack, the initial attacker address (0xdf3340a436c27655ba62f8281565c9925c3a5221) profited over 42 million USD, including:

The fund transfer can be roughly summarized as follows:

After profiting on Arbitrum, the initial attacker address quickly transferred WETH, WBTC, DAI, and other assets to an intermediary address (0x99cdeb84064c2bc63de0cea7c6978e272d0f2dae), and used multiple DEXs and cross-chain bridges such as CoW Swap, Across Protocol, Stargate Finance, and Mayan Finance to exchange and cross-chain transfer assets to Ethereum.

The attacker mainly used CoW Swap to exchange USDC for DAI, and then convert to ETH.

A large amount of assets were ultimately converted to ETH, with a total of 11,700 ETH flowing into the address (0x6acc60b11217a1fd0e68b0ecaee7122d34a784c1).

It is worth noting that the attacker's initial funds came from 2 ETH transferred from Tornado Cash on July 7, which was then cross-chained to Arbitrum via Mayan Finance to provide initial gas for the entire attack process.

As of now, the balance is as follows:

Arbitrum address 0xdf3340a436c27655ba62f8281565c9925c3a5221, balance of 10,494,796 Legacy Frax Dollar and 1.07 ETH;

Ethereum address 0xa33fcbe3b84fb8393690d1e994b6a6adc256d8a3, balance of 3000 ETH;

Ethereum address 0xe9ad5a0f2697a3cf75ffa7328bda93dbaef7f7e7, balance of 3000 ETH;

Ethereum address 0x69c965e164fa60e37a851aa5cd82b13ae39c1d95, balance of 3000 ETH;

Ethereum address 0x639cd2fc24ec06be64aaf94eb89392bea98a6605, balance of 2700 ETH.

We will continue to monitor the funds.

Summary

The core of this attack was that the attacker exploited two characteristics: the Keeper system enables leverage when executing orders, and when shorting, the global average price is updated, but closing a Short position does not update it. By using a reentrancy attack to create a large Short position, the attacker manipulated the global Short average price and global Short position size, thereby directly amplifying the GLP price to redeem profits.

The SlowMist security team recommends that project parties should add reentrancy lock protection to core functions based on their business logic and strictly limit the direct impact of a single factor on the price. Additionally, they should strengthen contract code audits and security testing to avoid similar situations.

Disclaimer: As a blockchain information platform, the articles published on this site only represent the personal views of the authors and guests, and are not related to Web3Caff's stance. The information in the article is for reference only and does not constitute any investment advice or offer. Please comply with the relevant laws and regulations of your country or region.

Welcome to join the Web3Caff official community: X(Twitter) Account丨Web3Caff Research X(Twitter) Account丨WeChat Reader Group丨WeChat Official Account

Sector:

Derivatives

Source

Disclaimer: The content above is only the author's opinion which does not represent any position of Followin, and is not intended as, and shall not be understood or construed as, investment advice from Followin.

Add to Favorites

Comments

Relevant content

Bitpush

Trump's big move! 9 trillion pension funds are about to enter the crypto market

Followin News

Hot Topic: Should we continue to be long on ETH? Followin Trading Strategy Square analysts are all FOMO

ETH

6.2%

Cointelegraph

300% DOGE price rally expected if this key price level is reclaimed

DOGE

16.14%