Skip to main content

GMX V1: The $42M AUM Accounting Reentrancy Exploit (July 2025)

On July 9, 2025, GMX V1, a leading perpetual exchange on Arbitrum with over $400 million in TVL, suffered a catastrophic reentrancy exploit resulting in the theft of approximately $42 million in user assets. While the attack exploited legacy logic from the protocol's V1 iteration (which had been superseded by V2 in August 2023), the incident demonstrates how dormant code in production can become a critical attack surface years after deployment.

Technical Overview

The exploit targeted the Assets Under Management (AUM) accounting logic within GMX's Vault contract. GMX V1 allowed users to mint and redeem the GLP token—a liquidity provider token that represents a basket of assets backing GMX's perpetual markets. The value of GLP is dynamically calculated based on the PnL (Profit and Loss) of open positions in the system.

Exploit Mechanism: The Reentrancy Loop

The attack was a sophisticated multi-step exploitation of GMX's order execution flow, specifically the executeDecreaseOrder function.

  1. Order Injection: The attacker called executeDecreaseOrder in the Position Manager. Normally, this function is called by the orderbook contract, which is triggered by keeper bots. The attacker structured this call so that their own malicious contract (0x7D3BD503...) was treated as the position owner.
  2. Gas Refund Hook: During the order execution flow, GMX's system provides a gas refund to the caller. This callback allowed the attacker's malicious contract to re-enter the system and hijack the execution flow.
  3. Price Calculation Bypass: Within the reentrancy context, the attacker called increasePosition() directly on the Vault contract. Crucially, the standard checks that calculate the average short price were skipped because the execution had been hijacked before these calculations could complete.
  4. AUM Manipulation:
    • By opening a massive short position on WBTC through the reentrancy loop, the attacker artificially deflated the global average short price for BTC—from approximately $109,515 to $1,913.
    • Since GLP's value is derived from the PnL of open positions, this drastic shift artificially inflated the GLP price from its standard $1.45 to over $27.
  5. Value Extraction: The attacker executed a flash loan to acquire a large amount of GLP at the artificially high price. They then redeemed the GLP for the underlying assets (ETH, BTC, etc.) at the inflated valuation, extracting approximately $42 million in real value.

The White-Hat Resolution

Notably, this attack was conducted by a white-hat security researcher. Within 48 hours:

  • The attacker returned approximately $40 million to GMX's Multisig wallet.
  • The attacker retained a $5 million bug bounty for the responsible disclosure.

Why This Matters (Legacy Code Risk)

The GMX V1 incident highlights a critical blind spot in DeFi security:

  • Production Legacy: Even after migrating to GMX V2, the V1 contracts remained live and held significant TVL. These contracts were not actively developed but were still part of the protocol's on-chain attack surface.
  • The "Ghost" Accounting Risk: The AUM calculation in GMX V1 was highly sensitive to position price state. The reentrancy allowed the attacker to manipulate the state before the accounting could "settle," creating a massive arbitrage opportunity.
  • Account Type Validation: The vulnerability was exploitable because GMX allowed contract accounts to trigger order execution. Traditional EOA-based checks would have prevented the reentrancy vector.

Mitigation Strategies

  • Contract vs. EOA Validation: Implement strict msg.sender validation in critical order execution functions. Use EIP-7702 checks or simple extcodehash validation to ensure that only Externally Owned Accounts (EOAs) or explicitly authorized contracts can trigger sensitive state-changing functions.
  • Reentrancy Guards: Apply the Checks-Effects-Interactions pattern rigorously, especially in functions that handle position management and AUM calculations. Consider implementing a nonReentrant modifier on all entry points.
  • Accounting Checkpoints: Calculate and lock the AUM state before executing any external calls. Any re-entrancy attempt should see the pre-manipulation price, not the post-manipulation state.
  • Legacy Deprecation: Protocols must actively migrate or "kill" old contract versions. If TVL remains in legacy contracts, they should undergo annual re-auditing against modern attack vectors.

Conclusion

The $42M GMX V1 exploit is a powerful reminder that security is not a one-time event. As DeFi protocols evolve through iterations, their oldest contracts often become their weakest links. The reentrancy vector exploited here was a classic pattern that should have been caught by standard auditing, yet it persisted in production for nearly two years after the V2 migration.