GMX’s V1 GLP Pool Hacked for $40 Million
On July 9, GMX’s V1 GLP pool on Arbitrum was hacked, resulting in a $40 million loss.The exploit targeted the GLP vault mechanism, allowing the attacker too mint excessive tokens without proper collateral.This breach forced GMX to freeze trading and halt GLP minting on Arbitrum and Avalanche.
The attack exposed a critical flaw in audited smart contracts.Despite thorough scrutiny, the protocol’s leverage functions were exploited. The team quickly froze trading to prevent further damage. GMX assured users that only V1 was affected, leaving V2, V2, and other markets remained unaffected.
the attacker used a malicious contract funded through Tornado Cash to obscure the origin of the exploit. They bridged roughly $9.6 million from Arbitrum to Ethereum using Circle’s Cross-Chain Transfer Protocol, converting portions to DAI.
GMX’s V1 contracts were reviewed by top auditing firms like Quantstamp and ABDK Consulting. However, these audits missed the specific leverage manipulation vector that enabled the exploit. This oversight highlights a recurring blind spot in DeFi security: audits often focus on general vulnerabilities but miss protocol-specific logic flaws.
GMX had proactive safeguards, including a $5 million bug bounty program. Yet, the breach still occurred. This incident casts doubt on the audit-driven security paradigm.If a mature protocol like GMX can lose $40 million to a logic flaw,the implications for less scrutinized projects are concerning. The team’s on-chain appeal to the hacker, offering a 10% bounty for the return of funds, underscores DeFi’s harsh reality: recovery efforts often rely on negotiating with attackers. The exploit raises urgent questions about the sustainability of decentralized leverage markets.
- Audits tend to focus on general vulnerabilities but miss protocol-specific logic flaws.
- The attack exposes the fragility of even audited smart contracts.
- The incident raises questions about the sustainability of decentralized leverage markets.
GMX’s proactive safeguards, including active monitoring by firms such as Guardian Audits, failed to prevent the hack. The incident highlights the need for more robust security measures in DeFi.
