GLP funds on Arbitrum fully recovered, following successful negotiation. These are the next steps for distribution.

A user disclosed a live vulnerability in the GMX V1 deployment on Arbitrum.

Jul 16, 2025

On July 9, 2025, a user disclosed a live vulnerability in the GMX V1 deployment on Arbitrum. This vulnerability allowed for ~$40 million of GLP liquidity to be compromised and withdrawn to an external wallet. The funds were returned, following outreach by GMX, and are now held by the DAO, awaiting distribution to the liquidity providers in the Arbitrum GLP vault.

GMX V2 is unaffected by this vulnerability. Trading and liquidity provision continue as normal on GMX V2.

Executive Summary

~$40m in GLP funds on Arbitrum were compromised due to a GMX V1 vulnerability
The affected funds have been fully recovered
A $5m bug bounty was paid to the user who uncovered this vulnerability
Recovered assets are secured in the GMX Treasury under the oversight of the Security Committee
A distribution plan for affected Arbitrum GLP holders is being discussed and will be evaluated by the GMX DAO

Current State of GMX V1

On Arbitrum:

GLP minting and redemption are disabled
Closing of open positions is enabled
Opening new positions and executing existing orders is permanently disabled
esGMX vesting using GLP remains functional
Users should close all V1 positions and cancel any pending orders

On Avalanche:

GLP minting is now disabled
GLP redemptions remain available
esGMX vesting via the GLP vesting vault remains functional
Redeeming GLP is recommended unless GLP is actively used for vesting

Users should close all V1 positions and cancel any pending orders

Distribution Plan

A snapshot of the total Assets Under Management (AUM) in GLP on Arbitrum will be taken just before and after the incident. This amount will be distributed back to GLP holders, pending DAO approval.

1. Preliminary Actions and Asset Conversion

GMX has already undertaken the following actions to initiate the distribution process, following an evaluation by the Security and Risk Committees:

Immediate pausing of GMX V1
Follow-on security transactions to ensure that funds remaining in the GLP vault are secure
Conversion of all recovered assets into stablecoins, to ensure that value is preserved
Funds bridged back to Arbitrum and secured in the GMX Treasury, overseen by the GMX Security Committee

2. Fund Distribution: The Path Forward

Simply placing the recovered funds back into GLP isn't a viable option due to several complexities, including:

During the exploitation of the vulnerability, the GLP token balances were changed
GLP mints and redeems have occurred since the incident, and need to be fairly accounted for
Numerous DeFi protocols are built on GLP, and they may face issues due to the altered values of the assets in GLP. Resolving this requires tailored solutions.

Accordingly, the GMX DAO will need to carefully evaluate several important decisions, including:

Fund Custody Strategy
- Retaining the funds in stablecoins
- Converting them into a mixture of the original assets
- Converting them into GLV tokens, the Liquidity Vault of GMX V2, which provide a comparable composition, asset exposure, and yield to GLP
Supplementation from Treasury
- Whether to provide a partial reimbursement pro rata, or to use the GMX Treasury to cover any potentially remaining shortfall, based on the snapshot of GLP AUM
Form of Reimbursement
- What asset(s) should be distributed to affected users
Distribution Timeline
- What is a realistic timeline for completing the distribution process safely and correctly

Proposed options, along with relevant information and technical feasibility, will be presented to the GMX DAO shortly to determine these key aspects of the Distribution Plan.

GMX strives for a fair and accurate distribution that yields a positive outcome for as many users as possible. We appreciate your patience and understanding during this process.

A Few Reflections

We would like to extend our deepest gratitude to all our security partners, involved researchers, the Arbitrum team, various exchanges, bridge providers, and stablecoin partners (FRAX & USDT) who have assisted GMX in navigating this complex process. Your swift and dedicated collaboration was instrumental in protecting both GLP holders and the GMX DAO.

We would also like to thank the numerous members of the GMX community and fellow builders who stood by us, offered their support, and provided helpful suggestions during these challenging times.

To the user 0xDF3340A436c27655bA62F8281565C9925C3a5221, we extend our gratitude for your critical role in discovering a vulnerability within the GMX V1 codebase and for ensuring the safe return of funds to the DAO.

Immunefi Bug Bounty program

GMX encourages users who discover any vulnerability to engage directly with our Immunefi bounty program for its disclosure.

This program is specifically designed to protect protocols and white-hats, and it ensures proper documentation is in place to validate bounty payments.

Renewed Focus on Safety and Security

This incident serves as a timely reminder for us to continue enhancing the security of GMX. GMX contributors will continue prioritising the addition of more layers of security to ensure the safety of the protocol and its users.

Details of the Vulnerability

The information below has been shared with all GMX V1 forks that we could reach out to; it is being re-shared here for documentation purposes.

Based on a review of the incident by contributors, auditors and security researchers, the root cause of this vulnerability is a re-entrancy attack. The entry point would be: https://github.com/gmx-io/gmx-contracts/blob/master/contracts/core/OrderBook.sol#L874.

While this function has the ‘nonReentrant’ modifier to guard against re-entrancy, this only prevents re-entrancy for functions in the same contract, which is within the OrderBook contract. This re-entrancy would be made use of to directly call `increasePosition` in the Vault contract.

Under regular operation, the increasePosition function in the Vault contract can only be called by the PositionRouter and PositionManager contracts. The PositionRouter and PositionManager contracts are needed to ensure that the average short price is properly calculated.

The price of GLP is dependent on the pending PnL, which is calculated based on the average short price. By utilising this re-entrancy and bypassing the average short price calculations, an attacker could open positions and manipulate the average short price for BTC downwards from the initial value of $109,505.77 to $1,913.70.

An attacker could then use a flash loan to:

Purchase GLP at the fair price of $1.45
Open a large position of size $15,385,676

Due to the manipulated average short price, the short losses would be calculated as 15,385,676 * (1913.70 - 108,757.787) / 1913.70 = 859,000,107.173, where 108,757.787 represents the current BTC oracle price.

This would lead to the GLP price being inflated to above $27, after which the attacker could redeem the minted GLP at this inflated price.

Stay updated about GMX:

Website: https://gmx.io/

Twitter: https://x.com/GMX_IO

Telegram: https://t.me/GMX_IO

Announcements: https://t.me/GMX_Announcements

Discord: https://discord.gg/H5PeQru3Aa

Github: https://github.com/gmx-io

Documentation: https://docs.gmx.io/

- GMX News -

Discussion about this post