The GMX platform has reported a major exploit targeting the first version of its protocol (GMX V1), which allowed an unknown attacker to drain $40 million from its liquidity pool. In response, the team suspended trading and temporarily halted all operations involving GLP tokens to prevent further damage.
Attack on GMX V1 Liquidity Pool
GMX V1 is the initial version of the decentralized exchange GMX, deployed on the Arbitrum network. The compromised pool was a “basket” of digital assets, including Bitcoin (BTC), Ethereum (ETH), and stablecoins. These assets were used to provide liquidity for leveraged trading on the platform.
The GMX team confirmed that the exploit only affected GMX V1 and its associated GLP token system. The current version, GMX V2, and the GMX token remain unaffected and safe.
Emergency Measures to Block the Vulnerability
Developers urged all users to disable leveraged trading and suspend the issuance of GLP tokens. Specifically, they recommended setting the parameter Vault.setIsLeverageEnabled(false) or, when using Timelock, Timelock.setShouldToggleIsLeverageEnabled(false). To prevent further GLP issuance, users must manually set maxUsdgAmount = 1 for all tokens. A value of "0" should not be used, as it removes the limit altogether.
Alongside Arbitrum, the issuance and redemption of GLP tokens was also paused on the Avalanche network.
Source of the Vulnerability
According to blockchain security firm SlowMist, the exploit stemmed from a structural flaw in the protocol itself. Analysts explained that the attackers managed to manipulate the GLP token price by distorting the calculation of the total value of assets under management.
