GMX Hack

On July 9, 2025, GMX V1—a decentralized perpetuals exchange on Arbitrum with $305B trading volume—lost $42M in a reentrancy attack exploiting PositionManager.executeDecreaseOrder’s assumption that _account is an EOA, allowing a malicious contract to hijack refunds via fallback, reenter Vault.increasePosition during leverage-enabled windows, and manipulate GLP pricing through stale globalShortAveragePrices in GlpManager.getAum. The attacker flash-loaned USDC, created phantom WBTC shorts inflating AUM via unrealized losses, minted GLP cheaply, redeemed at overvalued rates, draining ETH/USDC/WBTC across 10 steps before laundering via Tornado Cash. GMX paused GLP operations, offered a 10% ($4.2M) bounty, recovered $40.5M (90%) in ETH/FRAX, compensated users $44M from treasury/bounties, and patched via V2 upgrades. Audits missed the cross-contract guard gap; this OWASP SC05/SC03 hybrid—ninth-largest hack—exposes EOA assumptions in keepers, urging atomic state updates, pull-based refunds, CEI patterns, and invariant fuzzing for AUM logic to harden DeFi against $42M manipulations amid 2025’s $1.77B Q1 losses.