Hacker exploits GMX V1 through malicious smart contract, minting unauthorized tokens
The GMX exchange saw abnormal outflows of multiple assets, suggesting an ongoing exploit. The losses from the attack are around $42M based on the initial estimation.
On-chain data showed suspicious outflows from the GMX exchange. The transactions showed multiple markets were drained, estimating a $42M initial loss from the exploit.
A series of transactions was performed on Arbitrum, affecting WBTC, as well as bridged versions of USDC, USDT, LINK, UNI, and FRAX. The possible explanation is a re-entrancy attack, where an abnormal amount of GLP tokens was minted.
According to on-chain analysts, the protocol was attacked through a malicious smart contract funded with mixed funds from Tornado Cash. Soon after the exploit, the GMX exchange team reached out to the hacker, offering a 10% white hat bounty.
Within the first hour after the hack, GMX has not yet talked about freezing USDC in an attempt to salvage some of the funds. The hacker held around $2.28M in USDC, with the rest of the funds still in other tokens, including WBTC. GMX has admitted its V1 vaults were attacked, only affecting some of its smart contracts, with no vaults drained from V2.
GMX hacker held all funds in a single wallet
All funds were sent to one wallet, with over $32M in Arbitrum-based assets, and another $9M on Ethereum after bridging. The Ethereum-based funds are at a higher risk of being swapped and mixed, due to the higher available liquidity.
The hacker bridged USDC to Ethereum, later swapping the assets to DAI. Less than an hour after the exploit, the wallet continued to bridge funds to Ethereum, storing $11M in one of the wallets.
DAI is one of the assets most often mixed through Tornado Cash or concealed through DeFi swaps. The exploit shows similarities with previous protocol hacks, suggesting the participation of DPRK hackers. GMX was affected just months after the Cetus Protocol DEX was hacked and managed to freeze some of the funds.
The new wallet was created two days before the exploit and funded with ETH originating from TornadoCash, according to the researchers from SlowMist.
🚨SlowMist TI Alert🚨
MistEye has detected potential suspicious activities related to @GMX_IO , involving a $42M ( $USDC, $DAI, $LINK, $WETH, etc).
🧩 Initial funds:
July 7: 2 $ETH withdrawn from TornadoCash, bridged to Arbitrum via Mayan.💸 Fund flow:
Some funds bridged to… pic.twitter.com/C48JaIiFmy— SlowMist (@SlowMist_Team) July 9, 2025
The origins of the funds are token vaults on the GMX exchange. GMX was one of the busiest markets for perpetual futures, attracting traffic with opportunities for high-leverage trading. GMX is a relatively smaller market, with around $1B in weekly volumes and a few thousand users.
GMX expanded in Q2
The platform adds to the perpetual futures DEX trend, offering niche access to high-leverage activity. While not as high-profile as Hyperliquid, GMX expanded its activity in Q2.
The perpetual futures DEX locks in over $502M in its vaults, with all-time TVL at over $690M in late 2024. The value locked in vaults has been growing since this year’s market low in April, rising by over 50% to over $500M.
The market achieves over $65M in annual fees with around $23 in yearly revenues, and carries over $6.4B in monthly trading volumes. Following the recent hack, the DEX native token GMX crashed by over 10% to a three-month low. GMX slid to $12.29, deepening the initial losses from the hack.
Your crypto news deserves attention - KEY Difference Wire puts you on 250+ top sites
Recommended Articles
