GMX suffered a hacker attack, resulting in losses of over $40 million. The attacker exploited a reentrancy vulnerability and opened a short position while the contract's leverage feature was enabled to carry out the attack.
The root of the problem lies in the incorrect use of the executeDecreaseOrder function. The first parameter of this function should have been an external account (EOA), but the attacker passed in a smart contract address. This allowed the attacker to re-enter the system during the redemption process, manipulating the internal state and ultimately redeeming assets far exceeding the actual value of GLP held.
Normal GLP redemption mechanism
In GMX, GLP is the liquidity provider token, representing a share of the treasury assets (such as USDC, ETH, WBTC). When a user calls unstakeAndRedeemGlp, the system uses the following formula to calculate the amount of assets to be returned:
redeem_amount = (user_GLP / total_GLP_supply) * AUM
The calculation method for AUM (Assets Under Management) is:
AUM = Total value of all token pools + Global short unrealized losses - Global short unrealized profits - Reserved amounts - Pre-set deductions (aumDeduction)
This mechanism ensures that GLP holders receive their proportional share of the actual assets in the treasury.
Issues after enabling leverage
When enableLeverage is turned on, users can open leveraged positions (long or short). Before redeeming GLP, the attacker opened a large short position in WBTC.
Due to the global short size increasing as soon as the short position is opened, the system defaults to considering the short as a loss when the price has not yet changed, and this unrealized loss is counted as an 'asset' of the treasury, artificially increasing AUM. Although the treasury did not gain additional value, the redemption calculation is based on this inflated AUM, allowing the attacker to receive assets far exceeding what they were entitled to.
Attack process
Attack transaction
https://app.blocksec.com/explorer/tx/arbitrum/0x03182d3f0956a91c4e4c8f225bbc7975f9434fab042228c7acdc5ec9a32626ef?line=93
Written at the end
This attack exposed serious flaws in GMX's leverage mechanism and reentrancy protection design. The core issue lies in the over-reliance on the asset redemption logic on AUM, with insufficient prudential security checks on its components (such as unrealized losses). Additionally, the key function lacks mandatory verification of the caller's identity (EOA vs Contract). This incident serves as a reminder to developers that when involving sensitive financial operations, it is crucial to ensure that the system state cannot be manipulated, particularly when introducing complex financial logic (such as leverage and derivatives), to prevent systemic risks from reentrancy and state contamination.
