On July 9, 2025, the decentralized perpetual exchange GMX suffered one of the most significant DeFi exploits of the year when an attacker drained $42 million from its Arbitrum-based V1 GLP liquidity pool. The incident sent shockwaves through the DeFi community and triggered a 20% crash in the GMX token, which plummeted from $14.42 to $10.30 within hours. Remarkably, the attacker would later return the bulk of the stolen funds in exchange for a bug bounty — but the damage to confidence in the protocol was already done. With Bitcoin trading near $119,000 and the broader crypto market surging, the exploit served as a stark reminder that even established protocols remain vulnerable to well-known attack vectors.
The Exploit Mechanics
The attack targeted GMX V1’s GLP (GMX Liquidity Provider) token system on Arbitrum. At its core, the exploit leveraged a classic reentrancy vulnerability — one of the oldest and most documented attack patterns in smart contract security. The attacker deployed a malicious smart contract that interacted with the GLP pool’s minting function. Through careful manipulation of the call stack, the attacker’s contract was able to re-enter the minting function before the previous invocation had completed its state updates. This meant the contract’s internal balance tracking failed to reflect the tokens already withdrawn, allowing the attacker to mint GLP tokens far in excess of their actual deposit. The excess tokens were then immediately sold for underlying assets, draining the pool of approximately $42 million in liquidity. The reentrancy occurred in the deposit and minting flow, where the external call to transfer tokens back to the user happened before the internal accounting variables were updated. This ordering violation — performing an external call before state finalization — is the textbook definition of a reentrancy vulnerability. The attacker capitalized on the window between the external call and the state update to recursively call the mint function multiple times within a single transaction.
Affected Systems
The exploit was confined to GMX V1 on Arbitrum. GMX V2, which operates on both Arbitrum and Avalanche, was not affected because its architecture uses a different liquidity model that does not share the same vulnerability. The GLP pool on V1 was the primary target, and the stolen funds consisted of a mix of ETH, USDC, and other tokens held in the liquidity pool. The GMX token itself experienced a sharp decline, falling from $14.42 to $10.30 — a drop of over 28% — before partially recovering. The broader DeFi market on Arbitrum also felt the impact, with total value locked across the network seeing a brief dip as users rushed to withdraw liquidity from other protocols in a contagion-fear response. Several other Arbitrum-based DeFi platforms temporarily paused deposits as a precautionary measure while they reviewed their own smart contract code for similar vulnerabilities.
The Mitigation Strategy
GMX’s response was swift and multi-pronged. Within hours of the attack, the team paused all deposits and withdrawals on the V1 protocol to prevent further exploitation. The V2 protocol continued operating normally, as its different architecture was not susceptible to the same attack vector. The team then initiated direct communication with the attacker through on-chain messages, offering a bug bounty in exchange for the return of stolen funds. This strategy paid off — the attacker returned the majority of the $42 million, retaining only a negotiated bounty amount. The returned funds were gradually redistributed to affected liquidity providers. On the technical side, GMX deployed a patch to the V1 contracts that implemented the checks-effects-interactions pattern, ensuring that all state changes are finalized before any external calls are made. Additionally, the team added reentrancy guards — modifier functions that prevent any function from being called recursively — across all critical entry points in the V1 system.
Lessons Learned
The GMX exploit underscores several critical lessons for the DeFi ecosystem. First, reentrancy remains a persistent threat despite being one of the most well-understood vulnerability classes. The infamous DAO hack of 2016, which also exploited a reentrancy vulnerability, should have been the last time such an attack succeeded at scale — yet nearly a decade later, the same pattern continues to claim victims. Second, protocol age and reputation do not guarantee security. GMX V1 had been operational for years and had undergone multiple audits, yet the vulnerability persisted. This highlights the importance of continuous security review and the limitations of one-time audit reports. Third, the rapid response and fund recovery demonstrate the value of having an incident response plan. GMX’s ability to quickly pause the protocol and negotiate with the attacker likely saved liquidity providers from total loss.
User Action Required
For users who had funds in GMX V1 at the time of the exploit, the immediate priority is to verify whether their recovered funds have been redistributed by the protocol. Users should check the official GMX communication channels for distribution timelines. More broadly, this incident should prompt all DeFi users to reassess their exposure to V1 protocols. If a protocol has a V2 version available, migrating to the newer version is generally advisable, as it typically incorporates security improvements learned from the V1 experience. Additionally, users should consider diversifying their DeFi positions across multiple protocols to limit exposure to any single point of failure. Finally, staying informed about protocol audits and security reviews — and understanding what they actually cover — is essential for making informed decisions about where to deploy capital.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.
Reentrancy is literally the oldest trick in the book, it’s wild that even top-tier protocols like GMX can still get caught by it. The fact that so much capital was at risk and then actually reversed is a massive win for the security guys, but it definitely makes me think twice about ‘code is law’ when things can just be rolled back like that. Still, better than losing everything I guess.
oldest trick in the book and still works on a protocol with billions in TVL. reentrancy guards cost like 20 lines of code. no excuse
oldest trick and GMX still got hit. the checks-effects-interactions pattern has been best practice since 2016. billions in TVL and nobody ran a slither check
slither is free and runs in 30 seconds. a protocol with $42M TVL skipping basic static analysis is a choice not a mistake
Excellent breakdown of the attack vector. Most people don’t realize how subtle these state changes can be before the external call happens. This is why formal verification needs to become the industry standard for perpetual DEXs. Glad to see the funds are safe, but this is a stern reminder that even ‘battle-tested’ contracts aren’t invincible.
formal verification is the right goal but its expensive and most protocols wont pay for it until after they get exploited. tragedy of the commons in DeFi security
formal verification is expensive until you compare it to a 100M exploit. the ROI is trivially positive but protocols optimize for speed not safety. incentives are misaligned
I’m still trying to wrap my head around how someone can just ‘reverse’ a blockchain exploit. It’s definitely scary to see such huge amounts being moved around by hackers, but I’m glad the GMX team was able to act so quickly. Definitely going to be more careful with where I stake my assets from now on, DeFi is still the wild west!
attacker returned most funds for a bounty which is the crypto equivalent of a bank robber negotiating severance. GMX got lucky this one had a conscience