GMX confirmed a devastating exploit that drained approximately $42 million from its liquidity pools. In a bid to recover the stolen assets, the GMX team has issued a 10% “white-hat” bounty to the hacker. Additionally, they promised no legal repercussions if the funds are returned within 48 hours.
The incident occurred on GMX’s v1 platform, which primarily operates on the Arbitrum network. At 1:34 pm London time, abnormal outflows were detected from the protocol’s GLP liquidity pool.
Blockchain security firms, including PeckShield and Cyvers, quickly flagged the event as a sophisticated attack. They added that it involved a malicious smart contract deployed by an address funded through Tornado Cash, a privacy tool often used to obscure the origins of funds.
The attacker exploited a re-entrancy vulnerability in the GLP pool and began moving the stolen funds in stages. First, bridging about $9.6 million from Arbitrum to Ethereum, an established tactic for laundering and obfuscating digital assets.
GMX Responds To Hack
In the wake of the exploit, GMX immediately disabled trading and the minting and redeeming of GLP tokens on both Arbitrum and Avalanche to prevent further losses. The team assured users that the attack only affected and confined to v1 contracts and did not impact v2, which now handles the majority of trading volume.
Unfortunately, the company had already suffered significant losses. For instance, the price of GMX’s native token plummeted by as much as 28%. This led to the price falling to $11.20 in the hours after the breach. Additionally, over $500 million in user deposits were at risk, although the full extent of user impact remains under investigation.
In a move increasingly common among DeFi protocols facing catastrophic losses, GMX sent a direct on-chain message to the attacker’s wallet. The message offered a 10% “white-hat” bounty, roughly $4.2 million, in exchange for the return of the remaining 90% of the funds. GMX pledged not to pursue legal action if the hacker complies within 48 hours.
There have been no recovered funds, and the attacker’s wallet continues to hold nearly $44 million in various assets at the time of publication.
READ MORE: Polygon Price Rare Pattern Signals a Rally as Ecosystem Rebounds