A massive breach has shaken decentralized exchange GMX, draining $42 million from its liquidity pool. The platform is now offering the attacker a white-hat deal: return the funds, keep 10%, and walk away free—no questions asked.
A $42 Million Gut Punch in Broad Daylight
It started like any other day, but by 1:34 p.m. London time, GMX’s team was staring at numbers that didn’t add up. Their GLP liquidity pool, the core of their v1 protocol on Arbitrum, had started bleeding funds—fast. In total, about $42 million vanished.
Blockchain security firms like PeckShield and Cyvers were among the first to sound the alarm. The breach was clean, deliberate, and done with intent. They confirmed the exploit stemmed from a re-entrancy vulnerability in GMX’s smart contracts—a classic but brutal method that’s still catching protocols off guard in 2025.
Hacker Covered Tracks with Tornado Cash
Let’s be real: this wasn’t some kid in a basement poking around with trial-and-error.
The attacker funded a fresh wallet using Tornado Cash, the privacy tool that’s practically become the burner phone of crypto. From there, the wallet deployed a custom contract that set the whole thing in motion.
A few hours later, the attacker began siphoning money out in stages—first bridging $9.6 million from Arbitrum to Ethereum. It’s a tried and tested method. Laundering funds is easier when you pass them through different chains and protocols. It doesn’t erase the trail, but it sure does make it a whole lot messier to follow.
Trading Halted, Damage Contained (Sort Of)
GMX responded quickly.
They suspended trading and halted all minting and redemption of GLP tokens on both Arbitrum and Avalanche. Their messaging was clear: the exploit only affected v1, not the newer v2 contracts. Most trading these days happens on v2 anyway, so users were somewhat shielded.
One line from GMX’s statement stood out: “The attack has been contained. No further losses expected.” But confidence was already taking a beating.
The GMX token dropped like a rock—down 28%—falling to $11.20 in just a few hours. That’s the kind of drop that sends portfolios into panic mode.
GMX Sends On-Chain Message, Offers Bounty
Now comes the interesting part.
GMX took a page from the DeFi crisis playbook and sent a direct message—on-chain—to the hacker’s wallet. No code. Just plain English. It read like a plea but also a negotiation.
They’re offering 10% of the loot, or about $4.2 million, if the attacker returns the rest. That’s not all. They’re also offering immunity. No lawsuits, no police, no legal action—if the funds come back within 48 hours.
10% bounty = ~$4.2 million offered to the hacker
90% to be returned voluntarily
48-hour deadline for legal immunity
It’s a strategy that worked before for other protocols—sometimes. But it’s also a gamble. As of now, the attacker hasn’t responded, and the wallet still holds around $44 million in tokens.
Big Losses, Bigger Questions
Over $500 million in user deposits were technically at risk, though it’s still unclear how much of that has been directly impacted. GMX says they’re investigating.
The truth is, this attack—like many others—isn’t just about a hole in the code. It’s a reminder of how fragile trust still is in DeFi.
One user on X (formerly Twitter) summed it up perfectly: “You can build a castle, but one backdoor and it’s all just sand.” It’s crude, but not wrong.
There’s also pressure from regulators. Tornado Cash, already sanctioned by the U.S. Treasury in 2022, is once again in the spotlight for enabling this kind of cover-up. And now, everyone from on-chain sleuths to white-hat hackers is watching this address like hawks.
Here’s What We Know So Far
Let’s break down where things stand. No fluff. Just facts.
| Event | Detail |
|---|---|
| Time of exploit | 1:34 p.m. London, July 9 |
| Amount stolen | $42 million |
| Platform affected | GMX v1 on Arbitrum |
| Method of attack | Re-entrancy vulnerability via malicious smart contract |
| Funds laundered so far | $9.6 million bridged to Ethereum |
| Bounty offer | 10% of stolen funds (~$4.2 million) |
| Deadline for return | 48 hours from the offer |
| Status of funds | ~$44 million still held in attacker’s wallet |
| Token impact | GMX price dropped 28%, fell to $11.20 |
Will the Hacker Take the Deal?
So, what happens now?
The clock is ticking. GMX gave the attacker 48 hours. If that wallet doesn’t move soon, legal hounds will be unleashed. That’s the risk the attacker now faces—either take the money and walk or risk law enforcement, chain surveillance, and global exchange blacklists.
But here’s the kicker: some attackers have taken similar deals in the past. Not out of goodwill, but because it’s better to walk away with $4 million than run forever with $42 million no one will let you spend.
Nobody knows yet what this attacker will do. But whatever the outcome, GMX has a lot of damage control ahead.
