Crypto hackers lift $42m from GMX’s Arbitrum liquidity pool in broad daylight

Despite layers of scrutiny, GMX’s V1 GLP pool was hacked for over $40 million in a brazen exploit. With leverage functions now frozen, traders are left wondering: How did audited contracts crack? And what does this mean for DeFi’s perpetual trading future?

On July 9, on-chain perpetual and spot exchange GMX confirmed that its V1 GLP pool on Arbitrum had been exploited, with over $40 million worth of assorted tokens siphoned into an unknown wallet in a single transaction.

The attack, which appears to have manipulated the GLP vault mechanism, forced the protocol to halt trading and pause the minting and redeeming of GLP on both Arbitrum and Avalanche. GMX clarified that the breach was isolated to V1 and did not impact GMX V2, its token, or other associated markets.

While the GMX team has yet to disclose the exact exploit vector, the incident exposes the fragility of even audited smart contracts and raises urgent questions about the sustainability of decentralized leverage markets, where GMX has long been a dominant player.

How audits failed to stop the $40 million GMX exploit

The attacker’s path to draining $40 million from GMX’s V1 GLP pool was alarmingly straightforward yet devastatingly effective. According to blockchain analysts, the exploit involved manipulating the protocol’s leverage mechanism to mint excessive GLP tokens without proper collateral.

Once the attacker artificially inflated their position, they redeemed the fraudulently minted GLP for underlying assets, leaving the pool short of over $40 million in a matter of blocks.

The funds didn’t remain idle for long. According to Cyvers and Lookonchain, the attacker used a malicious contract funded through Tornado Cash to obscure the origin of the exploit. Roughly $9.6 million of the estimated $42 million haul was bridged from Arbitrum to Ethereum using Circle’s Cross-Chain Transfer Protocol, with portions swiftly converted to DAI.

Assets drained included ETH, USDC, fsGLP, DAI, UNI, FRAX, USDT, WETH, and LINK, making this a multi-asset strike spanning both native and synthetic tokens.

Before the hack, GMX’s V1 contracts were reviewed by top auditing firms. Quantstamp’s pre-deployment audit assessed core risks like reentrancy and access controls, while ABDK Consulting conducted additional stress tests. Yet neither audit flagged the specific leverage manipulation vector that enabled this exploit.

The oversight highlights a recurring blind spot in DeFi security: audits tend to focus on general vulnerabilities but often miss protocol-specific logic flaws. Ironically, GMX had proactive safeguards in place, including a $5 million bug bounty program and active monitoring by firms such as Guardian Audits.

This exploit doesn’t just undermine GMX, it casts doubt on the audit-driven security paradigm as a whole. If a protocol as mature and battle-tested as GMX can lose $40 million to a logic flaw, the implications for less scrutinized projects are deeply concerning.

Meanwhile, GMX’s on-chain appeal to the hacker, offering a 10% bounty for the return of funds, underscores DeFi’s harsh reality: recovery efforts often rely on negotiating with attackers.