GMX Offers 10% White Hat Bounty After $42M Exploit: A Call to Hackers

GMX Decentralized Exchange Suffers $42 Million Exploit
Overview of the Incident
A significant security breach occurred on Wednesday at GMX, a decentralized perpetual futures exchange, resulting in the theft of approximately $42 million in cryptocurrency. The attack specifically targeted the first version of the protocol operating on the Arbitrum network.
Details of the Attack
At 1:34 PM London time, the hacker executed a transfer of assets from the GMX protocol to a different wallet. Following this, they successfully bridged around $9.6 million of the stolen assets from Arbitrum to Ethereum. In response to the breach, GMX announced via a post on X that trading activities on GMX v1, along with the minting and redeeming of GLP tokens, have been halted on both Arbitrum and Avalanche. This precautionary measure aims to mitigate further risks and safeguard users from additional losses.
Impact on GMX and Its Users
The exploit has dealt a significant blow to GMX, which manages user deposits totaling around $500 million. In the wake of the incident, the value of GMX’s token plummeted by 28%, bringing its current trading price down to $11.20. The hacker specifically targeted GMX v1, which has been operational since 2021, and among the assets taken were $10 million in Legacy Frax Dollars, $9.7 million in USDC, as well as smaller amounts of Wrapped Bitcoin and Ether.
Method of Attack
According to security experts from Cyvers, the attacker utilized funds from the privacy protocol Tornado Cash to finance their actions and deployed a malicious smart contract that drained the protocol’s resources. This is not the first instance of GMX v1 being compromised; a previous hack in September 2022 resulted in a loss of $560,000 on the Avalanche blockchain.
White Hat Bounty Offer
Approximately one hour post-attack, GMX reached out to the hacker through an on-chain message, proposing a 10% bounty for the return of the stolen assets within a 48-hour timeframe. The platform reassured its users that the v2 smart contracts remained unaffected by this exploit, emphasizing that the attack was confined to v1 and its GLP liquidity pool. Notably, GMX transitioned to v2 in 2023, which now handles the majority of trading activities, although the v1 contracts were left operational for public use.
Ongoing Risks and Future Actions
Despite the immediate measures taken, there are concerns that additional funds may still be vulnerable. Current estimates indicate that over $27 million is held within GMX v1 forks, which could also be at risk depending on the exploit’s nature. Forks are decentralized finance protocols that replicate existing open-source code, often with minor modifications or deployed on different blockchains.
GMX is collaborating with its security partners to analyze the exploit’s mechanics and plans to release a comprehensive report detailing the incident once all information has been thoroughly verified.
Zachary Rampone serves as a DeFi correspondent at DL News. For tips, reach out via email at [email protected].