The attacker behind the $40 million exploit from the decentralized derivatives trading exchange GMX has begun to return funds after apparently accepting a $5 million bug bounty from the project.
The attack targeted the GLP V1 pool of GMX on Arbitrum, taking away more than 40 million USD in various cryptocurrencies such as USDC, FRAX, WBTC, and WETH. GMX immediately suspended trading and minting of V1 on both Arbitrum and Avalanche. GMX V2 and the GMX token were not affected.
After the onchain message committing to a 10% reward and no legal action if the attacker returns within 48 hours, the hacker responded: “ok, funds will be returned later”. Shortly after, the hacker’s address returned a total of 10.5 million FRAX to GMX, according to PeckShield.
The GMX token fell to a low of $10.45 (-28%) after the incident but has recovered 14% to $13.25 following news that the hacker has begun to return the funds.
The technical report confirms the attack exploiting the re-entrancy vulnerability in the OrderBook contract to manipulate the short BTC price and profit from GLP. GMX stated that it will stop minting/redemption of GLP V1 on Arbitrum, refund affected users, and open a DAO discussion on the next steps.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
