At 1:34 p.m. London time on July 9, 2025, the numbers inside one of the largest decentralized exchanges stopped making sense. A deliberate smart contract exploit drained $42 million from the GMX V1 liquidity pool on the Arbitrum network in broad daylight. Instead of fighting a losing legal battle, the protocol developers did something completely unexpected. They sent a public message to the attacker offering a multimillion-dollar payout to just walk away.
The Disappearing Act on Arbitrum
The attack started like a standard transaction, but the security alerts followed almost immediately. Blockchain security firms like PeckShield and Cyvers watched in real time as an unknown wallet drained approximately $42 million from the GLP pool. The GMX core team moved quickly to disable trading and pause the minting and redemption of GLP tokens on both Arbitrum and Avalanche to stop the bleeding.
The breach stemmed from a cross-contract reentrancy vulnerability hidden deep within the legacy code. This is a classic but brutal method where an attacker repeatedly calls a function before the previous execution finishes, tricking the contract into miscalculating balances. According to a post-mortem breakdown by Halborn Security, the attacker exploited a specific flaw in the executeDecreaseOrder function.
This allowed the hacker to systematically extract value through a very specific sequence of events on the blockchain. The execution was clean, deliberate, and required a deep understanding of how the exchange calculated asset prices.
- The attacker manipulated global short average prices within the ShortTracker contract.
- This created a circular dependency that artificially inflated the price of GLP tokens.
- The inflated tokens were then redeemed for real underlying assets like Ethereum and Wrapped Bitcoin.
- The funds were immediately moved to a fresh wallet to begin the laundering process.
An Unintentional Backdoor Left Open
The most frustrating part of this security failure is its origin. The vulnerability was actually traced back to a bug fix implemented in 2022. During that time, Collider VC claimed a $1 million bug bounty after finding a flaw involving non-atomic updates of the global short size.
When developers patched that specific 2022 flaw, the new code unintentionally created the exact reentrancy loop the 2025 attacker used. You can build a highly secure platform, but complex financial code often behaves in unpredictable ways when different contracts interact. It serves as a stark reminder of the risks involved in maintaining legacy decentralised finance protocols.
The attacker was clearly a professional who took deliberate steps to hide their identity. They initially funded a fresh wallet using Tornado Cash, a sanctioned privacy protocol that obscures the origin of crypto assets. Before the GMX team could even assess the full damage, the attacker had already bridged $9.6 million to the Ethereum mainnet using Circle’s cross-chain transfer protocol.
A Public Negotiation on the Blockchain
With tens of millions of dollars sitting in a hostile wallet, the developers took a page from the crisis playbook. On July 10, they sent a direct text message embedded within a blockchain transaction to the hacker’s address. It was a clear, pragmatic negotiation tactic designed to recover user deposits without a lengthy legal fight.
You’ve successfully executed the exploit; your abilities in doing so are evident to anyone looking into the exploit transactions. We would like to offer a 10% white-hat bounty.
The terms laid out by the GMX core team were simple and strict. They offered a 10 percent white-hat bounty, which translated to roughly $4.2 million, if the attacker returned the remaining assets voluntarily. Furthermore, the protocol promised not to pursue law enforcement action if the funds came back within a tight 48-hour deadline.
- The attacker keeps 10 percent of the stolen funds with no questions asked.
- The remaining 90 percent must be returned to the official protocol multisig wallet.
- The entire transaction must be completed within 48 hours of the initial offer.
- The protocol agrees to drop all pending legal action and investigations.
This strategy is always a gamble, but it places intense pressure on the attacker. Running with $42 million makes you a global target for chain surveillance firms and law enforcement. Walking away with a few million dollars legally provides a much safer exit strategy.
Taking the Deal and Making Users Whole
The clock was ticking, but the hacker ultimately decided that a guaranteed payout was better than a life on the run. On July 11, the exploiter began returning assets in chunks of $5 million. Over the next few days, more than $40 million flowed back into the protocol’s secure multisig address.
The attacker kept exactly $5 million as their final bounty payment, bringing an end to the immediate crisis. By July 16, the development team officially confirmed that the legacy V1 vulnerability was fully patched and the recovered funds were secure.
| Date (July 2025) | Event Milestone | Financial Impact |
|---|---|---|
| July 9 | Initial V1 smart contract exploit execution | $42,000,000 drained |
| July 10 | Developers issue on-chain bounty offer | $4,200,000 offered |
| July 11 | Attacker begins returning digital assets | $5,000,000 chunks sent |
| August 14 | Liquidity provider reimbursement completed | $44,000,000 total recovery |
With the money back in hand, the team focused on repairing the damage to their community. On August 14, they completed a compensation plan totaling $44 million. This covered both the recovered assets and additional protocol funds used to make liquidity providers whole after the temporary market imbalance.
Why Newer Contracts Dodged the Bullet
While the legacy system took a severe beating, the modern iteration of the exchange survived completely unscathed. GMX V2, which launched back in August 2023, was not affected by the breach at all. The newer protocol architecture abandoned the old pricing mechanics that caused the vulnerability.
Instead, the upgraded system uses Chainlink Data Streams for high-precision pricing. This oracle-based approach executes trades dynamically and prevents the exact type of price manipulation the attacker used on the older V1 contracts. Most trading volume had already migrated to these newer, safer pools long before the exploit occurred.
Despite the successful recovery, the psychological impact on the user base was real. Token Terminal data showed that average monthly active users dropped to 16,200 in the third quarter of 2025, a noticeable decline from previous peaks. Trust takes a long time to build and seconds to break.
The platform is now aggressively pushing forward to regain its footing. They recently expanded their footprint, launching on new networks to capture fresh trading volume, detailed in an official press release covering their multichain rollout across public blockchains. The team hopes that scaling a successful decentralized exchange without compromising on security will bring traders back to the table.
The resolution of this crisis highlights exactly why the blockchain ecosystem remains so volatile. A single line of code can wipe out millions, yet open negotiation on a public ledger can bring it all back just days later. As developers continue building better safeguards, the survival of #DeFi relies entirely on learning from every costly mistake, and the #GMXExploit will undoubtedly serve as a crucial case study for the next generation of smart contract security.
Disclaimer: This article does not constitute financial advice. Interacting with decentralized finance protocols and smart contracts carries inherent risks, including the potential loss of funds due to software exploits. Always consult a licensed financial advisor before making any investment or interacting with digital assets.
