Crypto hackers lift $42m from GMX’s Arbitrum liquidity pool in broad daylight

2025/07/10 02:53

Despite layers of scrutiny, GMX’s V1 GLP pool was hacked for over $40 million in a brazen exploit. With leverage functions now frozen, traders are left wondering: How did audited contracts crack? And what does this mean for DeFi’s perpetual trading future?

On July 9, on-chain perpetual and spot exchange GMX confirmed that its V1 GLP pool on Arbitrum had been exploited, with over $40 million worth of assorted tokens siphoned into an unknown wallet in a single transaction.

The attack, which appears to have manipulated the GLP vault mechanism, forced the protocol to halt trading and pause the minting and redeeming of GLP on both Arbitrum and Avalanche. GMX clarified that the breach was isolated to V1 and did not impact GMX V2, its token, or other associated markets.

While the GMX team has yet to disclose the exact exploit vector, the incident exposes the fragility of even audited smart contracts and raises urgent questions about the sustainability of decentralized leverage markets, where GMX has long been a dominant player.

How audits failed to stop the $40 million GMX exploit

The attacker’s path to draining $40 million from GMX’s V1 GLP pool was alarmingly straightforward yet devastatingly effective. According to blockchain analysts, the exploit involved manipulating the protocol’s leverage mechanism to mint excessive GLP tokens without proper collateral.

Once the attacker artificially inflated their position, they redeemed the fraudulently minted GLP for underlying assets, leaving the pool short of over $40 million in a matter of blocks.

The funds didn’t remain idle for long. According to Cyvers and Lookonchain, the attacker used a malicious contract funded through Tornado Cash to obscure the origin of the exploit. Roughly $9.6 million of the estimated $42 million haul was bridged from Arbitrum to Ethereum using Circle’s Cross-Chain Transfer Protocol, with portions swiftly converted to DAI.

Assets drained included ETH, USDC, fsGLP, DAI, UNI, FRAX, USDT, WETH, and LINK, making this a multi-asset strike spanning both native and synthetic tokens.

Before the hack, GMX’s V1 contracts were reviewed by top auditing firms. Quantstamp’s pre-deployment audit assessed core risks like reentrancy and access controls, while ABDK Consulting conducted additional stress tests. Yet neither audit flagged the specific leverage manipulation vector that enabled this exploit.

The oversight highlights a recurring blind spot in DeFi security: audits tend to focus on general vulnerabilities but often miss protocol-specific logic flaws. Ironically, GMX had proactive safeguards in place, including a $5 million bug bounty program and active monitoring by firms such as Guardian Audits.

This exploit doesn’t just undermine GMX, it casts doubt on the audit-driven security paradigm as a whole. If a protocol as mature and battle-tested as GMX can lose $40 million to a logic flaw, the implications for less scrutinized projects are deeply concerning.

Meanwhile, GMX’s on-chain appeal to the hacker, offering a 10% bounty for the return of funds, underscores DeFi’s harsh reality: recovery efforts often rely on negotiating with attackers.

Disclaimer: The articles reposted on this site are sourced from public platforms and are provided for informational purposes only. They do not necessarily reflect the views of MEXC. All rights remain with the original authors. If you believe any content infringes on third-party rights, please contact [email protected] for removal. MEXC makes no guarantees regarding the accuracy, completeness, or timeliness of the content and is not responsible for any actions taken based on the information provided. The content does not constitute financial, legal, or other professional advice, nor should it be considered a recommendation or endorsement by MEXC.

You May Also Like

Ripple CEO: Stablecoin Market Could Hit $2 Trillion in Coming Years

Ripple CEO: Stablecoin Market Could Hit $2 Trillion in Coming Years

Ripple CEO Brad Garlinghouse believes the stablecoin sector is poised for explosive growth, projecting the market could balloon from its current $250 billion capitalization to as much as $2 trillion in the near future. Key Takeaways: Ripple sees a $2 trillion stablecoin market as a realistic near-term outcome. RLUSD has surpassed $500 million in market cap, with BNY Mellon as its custodian. Ripple is pursuing a US banking license to deepen integration with traditional finance. Speaking on CNBC’s “Squawk Box” Wednesday , Garlinghouse described the expansion as “profound,” citing institutional momentum and evolving regulation as key drivers. Ripple entered the stablecoin space late, Garlinghouse noted, largely because the company had been leveraging third-party stablecoins in its enterprise payment flows. Ripple Bets on RLUSD to Compete in Stablecoin Race RLUSD, Ripple’s own USD-pegged stablecoin, has given the firm an opportunity to compete, thanks to its existing institutional base and focus on regulatory compliance. “Many people think it will reach $1 to $2 trillion in a handful of years,” Garlinghouse said, adding that Ripple is positioned to benefit from that trajectory. He also announced that BNY Mellon will act as custodian for RLUSD, which crossed the $500 million market cap milestone this week. Industry voices appear to echo Ripple’s optimism. Henrik Andersson, CIO at Apollo Capital, told Cointelegraph the projection aligns with their internal forecasts. “We are seeing fintechs, banks, social networks, and large retailers all launch their own stablecoins,” he said, pointing to growing competition and adoption across sectors. Andersson also highlighted the success of market leaders like Tether, which has turned its dominance into strong profitability. Looking ahead, he said the GENIUS Act , a bill that would give stablecoins legal tender status in the US, could be a major accelerant. The legislation passed the Senate in June and is expected to be enacted later this month. Nick Ruck, director at LVRG Research, added that a friendlier regulatory stance from the SEC could create favorable conditions for the stablecoin market to grow severalfold, possibly hitting the $2 trillion mark within a few years. ANNOUNCEMENT: BNY selected to serve as the primary reserve custodian of @Ripple ’s enterprise-grade stablecoin, Ripple USD ( #RLUSD ). #BNY and Ripple are jointly committed to paving the way for digital asset adoption at institutional scale and together are helping to bridge the… pic.twitter.com/RjyDyBj0Qk — BNY (@BNYglobal) July 9, 2025 Ripple is also tightening its ties to traditional finance. Earlier this month, the firm applied for a banking license with the Office of the Comptroller of the Currency (OCC) and a Federal Reserve Master Account. Garlinghouse said the move is aimed at building “bridges between traditional finance and DeFi.” Ripple’s RLUSD Gains Traction Meanwhile, RLUSD continues to gain traction , recently integrating with crypto payments provider Transak. RLUSD’s growing adoption comes against a background of the stablecoin reaching a $500 million market cap for the first time since it debuted trading less than seven months ago. XRP, Ripple’s cross-border payments token, has rallied 7% this week, trading at $2.42, its highest level in nearly two months. Stablecoins have emerged as one of crypto’s rare success stories, capturing the attention of corporations and regulators alike. Recent reports that Amazon, Walmart, and other major companies are exploring stablecoin payments sent ripples through traditional finance, briefly pushing stablecoin transaction volumes ahead of Visa’s in 2024. Frank Combay of Next Generation said regulatory clarity , especially Europe’s MiCA framework, has unlocked stablecoins’ growth potential by removing the biggest barrier: uncertainty. He believes stablecoin ecosystems can reduce transaction costs by over 90% and are becoming increasingly attractive to both consumers and corporations.
Share
CryptoNews2025/07/10 14:16
Crypto ATM operator Bitcoin Depot revealed that 27,000 customer information was leaked last year

Crypto ATM operator Bitcoin Depot revealed that 27,000 customer information was leaked last year

PANews reported on July 10 that according to Cointelegraph, cryptocurrency ATM operator Bitcoin Depot disclosed a data breach on June 23, 2024, which resulted in the leakage of personal information
Share
PANews2025/07/10 14:17