Hacker Stole Over $60 Million From GMX And is Now Considering Wearing a White Hat

Hacker Stole Over $60 Million From GMX And is Now Considering Wearing a White Hat


GMX, the decentralized perpetual contract exchange running on the Arbitrum and Avalanche networks, was exploited on July 9 for over $60 million. According to Lookonchain, a platform that tracks on-chain events, the hacker returned $10 million in Legacy Frax Dollar (FRAX), a cryptocurrency pegged to the US dollar. It is estimated that the hacker could return at least $42 million in exchange for $5 million as a reward for hunting the bug.

Block explorer Arbiscan confirms that the $10 million was returned to an Arbitrum contract labeled GMX Deployer. This account appears to have administrative privileges on the GMX platform and likely belongs to the perpetual exchange's management. The entire GMX attack occurred on Arbitrum, as a security alert prevented the same from happening on Avalanche.

With this return, the hacker still has approximately 11,700 ETH from the exploited contract in his possession. Since they fell into his hands, these coins have generated unrealized profits of approximately $3 million, thanks to the rise in the price of ether to around $3,000.

According to a statement from GMX, the root cause of the exploit was a reentrancy attack on the following smart contract.

Although this function has the nonReentrant modifier to protect against reentrancies, this only prevents reentrancies for functions within the same contract, i.e., within the OrderBook contract. The attacker leveraged this reentrancy to directly call increasePosition in the Vault contract.

GMX, perpetual exchange.

In a nutshell, this reentrancy attack would have allowed the hacker to bypass local bitcoin (BTC) price calculations, open a short futures position, and manipulate the average short BTC price down, “from an initial value of $109,505.77 to $1,913.70.”

The attacker then took out a flash loan on GMX for a token ticker GLP at the current price of $1.45, and opened a long position equivalent to $15 million.

Due to the manipulation of the average selling price, the loss per sale was calculated at 15,385,676 * (1,913.70 – 108,757,787) / 1,913.70 = 859,000,107,173, where 108,757,787 represents the current BTC oracle price.

This caused the price of LPG to inflate above $27, after which the attacker redeemed the minted LPG at that price.

GMX, cryptocurrency exchange.

In a personalized message to the hacker dated July 10, GMX assured him that the reward for returning the funds is still active. It was today, July 11, that the hacker began returning part of the funds to the exchange's management.

How do you rate this article?

23



Blockchain Development
Blockchain Development

A blog that covers everything that's happening in crypto world.

Publish0x

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.