GMX Halts Trading After $40 Million Crypto Pool Drained in Attack

GMX V1, which first launched on the Arbitrum ARB $0.2227 network in 2021 and later expanded to Avalanche AVAX $14.76 , allows users to trade perpetual futures while liquidity providers earn fees through a token called GLP. This token is backed by a pool of assets that users deposit.

However, that pool was emptied after an attacker exploited a flaw in the system, which rendered GLP holders unable to redeem their tokens for the expected value.

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

Crypto Fees Explained: How Not to Overpay? (Animated)

SUBSCRIBE

ON YOUTUBE

Data on GMX’s website showed that roughly $10 million in each Bitcoin BTC $93,398.10 and USDC USDC $0.9980 , about $8.5 million in Ethereum ETH $3,180.62 , nearly $1 million in USDT USDT $0.9983 , and a large amount of Uniswap UNI $6.11 and Chainlink LINK $14.62 tokens were stolen.

Suhail Kakar, a developer at TAC, explained on X that the exploit was a type of "re-entrancy" attack, where the smart contract was tricked into believing no funds had been withdrawn yet. This allowed the attacker to repeatedly create new GLP tokens using the same original funds.

Blockchain security firm PeckShield noted that the wallet used in the attack had been funded through Tornado Cash, likely to hide the trail. The stolen funds are currently stored in that wallet, while investigators attempt to track the transactions.

In response, GMX stopped all V1 trading on both Arbitrum and Avalanche, and also disabled GLP minting and leverage trading.

Resupply, a decentralized finance (DeFi) platform, confirmed a breach in one of its markets, which resulted in the loss of around $9.6 million worth of crypto assets. How did the incident happen? Read the full story.