GMX attacked, losing over 42 million USD on Arbitrum

The on-chain derivatives exchange GMX on Arbitrum has been attacked, resulting in a loss of over 42 million USD. This amount was quickly transferred from #Arbitrum to Ethereum and swapped to DAI to avoid being frozen.

Details of the attack and response

Data from DeBank shows unusual cash flows withdrawn from smart contracts related to GMX Vault. The cause is believed to be a re-entrancy bug in the GLP v2 minting model of #GMX , allowing the hacker to exploit and withdraw all assets from the pool.

This incident caused the price of GMX tokens to drop by more than 10%. The GMX team has confirmed the attack, urging projects using GMX V1 to adjust immediately and sending on-chain messages asking the hacker to return 90% of the funds in exchange for keeping 10% as a reward.

The incident has also raised concerns for projects built on similar POOL-to-PEER structures as GMX, prompting consideration of safer alternative solutions.