If you followed the news on July 9, 2025, you likely saw headlines about GMX losing $42 million to a hack. Reports mentioned terms like “cross-contract reentrancy,” “globalShortAveragePrices,” and “flash loan exploitation.” For anyone not deeply versed in smart contract development, these terms can feel impenetrable. This guide breaks down what happened in plain language, explains why it matters for every crypto user, and gives you practical steps to protect yourself.
The Basics
At its core, a reentrancy attack is like someone knocking on your door, and while you’re busy letting them in, they sneak a friend through the back door. In smart contract terms, it happens when Contract A calls Contract B, and Contract B — before finishing its work — calls back into Contract A. This callback can trigger actions in Contract A that should not be allowed at that point in the execution flow.
A cross-contract reentrancy is the same concept but involves three or more contracts. In the GMX case, the attack chain went through at least four contracts: the attacker’s malicious contract, the PositionManager, the Timelock, and the Vault. Each contract did its job in isolation, but the interaction between them created a vulnerability.
Think of it like a building with multiple security checkpoints. Each checkpoint individually works correctly, but if someone figures out the exact timing to pass through all of them simultaneously, they can bypass the entire security system without triggering any single alarm.
GMX is a decentralized exchange that lets people trade cryptocurrency derivatives directly from their wallets, without a middleman. It operates on the Arbitrum blockchain, a layer-2 network built on top of Ethereum. The V1 version of GMX had been running for years and was considered a mature, well-audited protocol.
Why It Matters
You might think that a $42 million hack on a DeFi protocol you don’t use doesn’t affect you. But the implications reach further than you might expect. When a major protocol gets exploited, it can trigger market-wide selloffs — the GMX token dropped over 20% in hours, and the broader DeFi market on Arbitrum experienced increased volatility.
More importantly, the type of vulnerability that was exploited is not unique to GMX. Cross-contract reentrancy is a class of vulnerability that exists in many DeFi protocols. Understanding how it works helps you evaluate the security of any protocol you consider using.
The exploit also highlights a sobering reality: this vulnerability was introduced by a bug fix in 2022 and went undetected for three years despite multiple professional security audits. If a well-resourced, extensively audited protocol can harbor such a flaw, smaller and newer protocols are even more likely to contain similar vulnerabilities.
Getting Started Guide
Here are the practical steps you can take to protect yourself from similar exploits:
Step 1: Prefer newer protocol versions. When protocols release V2, V3, or later versions, they typically incorporate lessons learned from V1 security incidents. GMX V2 was unaffected by this exploit because it had been redesigned with better security. Always check if a newer version is available and migrate your funds.
Step 2: Check audit reports, but don’t rely solely on them. The GMX V1 contracts had been audited multiple times, yet the vulnerability persisted. Read audit reports to understand what risks the auditors identified, even if they were considered low-probability. If an audit flags a potential issue with cross-contract interactions, take that seriously.
Step 3: Understand where your funds actually live. When you deposit funds into a DeFi protocol, your money sits in smart contracts — not in a bank account with insurance. If those contracts are exploited, your funds can disappear instantly with no recourse. Never deposit more than you can afford to lose into any single protocol.
Step 4: Diversify across protocols. Don’t put all your crypto holdings into one DeFi platform. Spread your positions across at least three to five different protocols. If one gets exploited, the majority of your capital remains safe.
Step 5: Set up alerts. Use tools like Etherscan watch lists or protocol-specific notification systems to monitor your positions. Quick awareness of an exploit gives you the best chance to withdraw funds before they’re affected.
Common Pitfalls
Many beginners make these mistakes when evaluating DeFi security:
Confusing TVL with safety. A high Total Value Locked does not mean a protocol is secure. GMX had hundreds of millions in TVL when it was exploited. TVL measures popularity, not security.
Trusting brand recognition. GMX is one of the most well-known decentralized exchanges. Brand awareness creates a false sense of security. Always evaluate each protocol on its technical merits.
Ignoiting migration warnings. The GMX team had been encouraging users to migrate from V1 to V2. Users who ignored these warnings and stayed on V1 were the ones affected. When a protocol team tells you to upgrade, there is usually a good reason.
Over-relying on insurance. Some DeFi protocols offer insurance funds, but these are often insufficient to cover major exploits and can take months to process claims. Insurance is a safety net, not a replacement for good security practices.
Next Steps
Now that you understand the basics of cross-contract reentrancy and the GMX exploit, consider deepening your knowledge. Learn about other common smart contract vulnerability types — flash loan attacks, oracle manipulation, and front-running are all patterns you should recognize. Follow security researchers on social media for real-time updates on emerging threats. And most importantly, always approach DeFi with the assumption that any protocol can be exploited, and plan your strategy accordingly.
The crypto ecosystem rewards informed participants. By understanding how exploits work, you are already better positioned than the vast majority of users who simply deposit funds and hope for the best.
Disclaimer: This article is for educational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with DeFi protocols.
The industry needs standardized security audit frameworks
Hardware wallet adoption is the single biggest security improvement anyone can make
Bug bounties are the most cost-effective security investment
bug bounties work but only if the payout is competitive with the exploit value. a 100K bounty for a 10M vulnerability is just a rounding error for attackers
bounty_hunter_ 100%. a 10M vulnerability with a 100K bounty means the bounty is just a suggestion to do the right thing. immunefi payouts need to scale with TVL
Multi-sig wallets should be the default for everyone in crypto
Bridge security is still the weakest link in the ecosystem
bridges are the weakest link because they require trusting the destination chains consensus. its a fundamental cross-chain security problem not just a code quality issue
Olga bridge security is the weakest link but cross-contract reentrancy like GMX is arguably worse. at least bridges can pause. reentrancy drains happen in one tx