In July 2025, GMX V1 suffered a $42 million hack. The attacker exploited a reentrancy vulnerability in the protocol’s smart contracts before returning the bulk of the stolen funds in return for a bounty payment.
Inside the Attack
Reentrancy is one of the oldest and best-known smart contract vulnerabilities. Some smart contracts have the ability to transfer control back to the caller while executing, most commonly due to a payment being sent to a smart contract. A malicious contract can take advantage of this opportunity to reenter a vulnerable contract before it updates its internal state from the previous call.
In this case, the attacker took advantage of a vulnerability in GMX's executeDecreaseOrder function. This function was called by GMX’s order-keeper contract but accepted the address of the attacker’s smart contract as input. When the function transferred control to that address as part of the refund process, it ran the attacker’s smart contract and enabled the reentrancy attack.
This reentrancy vulnerability enabled the attacker to take advantage of a circular relationship between several values in the GMX ecosystem, including:
Global short positions changing global average short prices
Global average short prices affecting assets under management (AUM) calculations
AUM calculations impacting the value of GLP tokens
GLP token prices allowing liquidity operations that affected global short positions
When the attacker exploited the reentrancy vulnerability, the list of short positions was updated but the global average short price wasn’t, leaving it artificially (and historically) low. This tricked the system into believing that shorts were opened at these low values, increasing AUM calculations and the perceived value of GLP tokens. The attacker was then able to drain $42 million from the protocol via redemption operations.
As part of its response to the hack, GMX offered a bounty for the return of the funds. In the end, the attacker received a bounty payment of $5 million, and the remaining stolen funds were returned to the GMX multi-sig wallet.
Lessons Learned from the Attack
The reentrancy vulnerability exploited in this attack was introduced as part of a fix for another vulnerability. In 2022, GMX issued a $1 million bug bounty payment for identifying issues with non-atomic updates of global short size and average global short price. The fix for this introduced the new vulnerability and went unaudited.
This incident demonstrates the importance of performing security audits of all code launched on-chain. For help securing your protocol against attack, reach out to Halborn.