GMX’s V1 GLP Pool Hacked for $40 Million
On July 9, GMX, a popular on-chain perpetual and spot exchange, confirmed a notable security breach. The V1 GLP pool on Arbitrum was hacked, resulting in a loss of over $40 million.
The attack targeted the leverage mechanism of the GLP vault, allowing the attacker to mint excessive GLP tokens without proper collateral. This led to the protocol halting trading and freezing the minting and redeeming of GLP on both Arbitrum and Avalanche.
despite being audited by top firms, the protocol’s contracts were exploited, raising questions about the effectiveness of audits in DeFi. The attacker manipulated the leverage mechanism to inflate their position and redeem the fraudulently minted GLP for underlying assets.
The attacker used a malicious contract funded through Tornado cash to obscure the origin of the exploit and bridged roughly $9.6 million of the estimated $42 million haul from Arbitrum to Ethereum using circle’s Cross-Chain Transfer protocol. The drained assets included ETH, USDC, fsGLP, DAI, UNI, FRAX, USDT, WETH, and LINK.
While GMX had proactive safeguards in place, including a $5 million bug bounty program and active monitoring by firms such as Guardian Audits, the oversight highlights a recurring blind spot in DeFi security. Audits tend to focus on general vulnerabilities but often miss protocol-specific logic flaws. This exploit casts doubt on the audit-driven security paradigm as a whole.
GMX’s on-chain appeal to the hacker, offering a 10% bounty for the return of funds, underscores DeFi’s harsh reality: recovery efforts often rely on negotiating with attackers. The incident exposes the fragility of even audited smart contracts and raises urgent questions about the sustainability of decentralized leverage markets.
