Crypto hackers lift $42m from GMX’s Arbitrum liquidity pool in broad daylight
The post Crypto hackers lift $42m from GMX’s Arbitrum liquidity pool in broad daylight appeared on BitcoinEthereumNews.com.
Despite layers of scrutiny, GMX’s V1 GLP pool was hacked for over $40 million in a brazen exploit. With leverage functions now frozen, traders are left wondering: How did audited contracts crack? And what does this mean for DeFi’s perpetual trading future? On July 9, on-chain perpetual and spot exchange GMX confirmed that its V1 GLP pool on Arbitrum had been exploited, with over $40 million worth of assorted tokens siphoned into an unknown wallet in a single transaction. The attack, which appears to have manipulated the GLP vault mechanism, forced the protocol to halt trading and pause the minting and redeeming of GLP on both Arbitrum and Avalanche. GMX clarified that the breach was isolated to V1 and did not impact GMX V2, its token, or other associated markets. While the GMX team has yet to disclose the exact exploit vector, the incident exposes the fragility of even audited smart contracts and raises urgent questions about the sustainability of decentralized leverage markets, where GMX has long been a dominant player. How audits failed to stop the $40 million GMX exploit The attacker’s path to draining $40 million from GMX’s V1 GLP pool was alarmingly straightforward yet devastatingly effective. According to blockchain analysts, the exploit involved manipulating the protocol’s leverage mechanism to mint excessive GLP tokens without proper collateral. Once the attacker artificially inflated their position, they redeemed the fraudulently minted GLP for underlying assets, leaving the pool short of over $40 million in a matter of blocks. The funds didn’t remain idle for long. According to Cyvers and Lookonchain, the attacker used a malicious contract funded through Tornado Cash to obscure the origin of the exploit. Roughly $9.6 million of the estimated $42 million haul was bridged from Arbitrum to Ethereum using Circle’s Cross-Chain Transfer Protocol, with portions swiftly…
Filed under: News - @ July 10, 2025 2:26 am