Author: Fairy, ChainCatcher
Editor: TB, ChainCatcher
During the bear market of 2022, GMX was one of the few highlights, serving as a representative project for on-chain perpetual contracts, even holding an almost monopolistic position at one point.
However, as the market recovers and competition intensifies, its brilliance is gradually overshadowed by rising stars. Now, a hacker attack worth $42 million has once again brought GMX back into the public eye.
But more sadly, this incident did not attract widespread attention in the Chinese community. A project that once had a strong influence in the industry is quietly exiting the main stage.
The former king has suffered severe damage
Since its launch in September 2021, GMX's TVL rapidly grew to $350 million before the LUNA crash and reached a peak of about $700 million in May 2023. Its token price also rose sharply, reaching a high of $91 in April 2023.
However, with the rise of new protocols, the market share of older projects like GMX is being constantly eroded. The recent hacker attack on GMX comes as a further setback against the backdrop of declining traffic.
This attack caused GMX's token price to drop by 17.3%, with about $100 million evaporated from TVL, a decline of up to 20%. The hackers stole over $42 million in crypto assets, involving various mainstream tokens including WBTC, WETH, UNI, FRAX, LINK, USDC, USDT, and others.
After the incident, the GMX team immediately left a message on the hacker's address, offering a 10% white hat bounty. However, according to Ember monitoring, the attacker has exchanged most of the stolen assets for about 11,700 ETH and dispersed them into four wallets. This operation essentially means the attacker has rejected the bounty proposal put forth by the project team.
It is worth noting that this is not the first time GMX has encountered an attack. Back in September 2022, its v1 protocol deployed on Avalanche was exploited by hackers, resulting in a loss of about $560,000.
Attack path breakdown
In GMX, GLP is the liquidity provider token, representing a share in the vault's assets (such as USDC, ETH, WBTC). When the enableLeverage function is turned on, users can establish leveraged positions, including long or short operations.
According to security company BlockSec's analysis, the root cause of the issue lies in the incorrect invocation of the executeDecreaseOrder function.
The first parameter of this function was originally supposed to be an externally owned account (EOA), but the attacker passed in a smart contract address, thus achieving a reentrancy attack.
Specifically, before redeeming GLP, the attacker opened a large short position in WBTC. Since opening a short position immediately increased the global short size, the system defaults this short as a loss without any price movement, and this unrealized loss is counted as 'assets' of the vault, resulting in an artificially inflated AUM.
Although the vault did not actually gain additional value, the redemption calculation would be based on this inflated AUM, allowing the attacker to obtain assets far exceeding what they deserved.
Image source: BlockSec
$27 million in funds may face a chain reaction?
GMX's early success triggered a 'forking craze', where many projects copied its open-source code, making slight modifications or deploying it to other blockchains. Security company PeckShield warned that the vulnerabilities exploited in GMX v1 might also exist in these replica protocols.
It is estimated that approximately $27 million in funds are still exposed to this type of risk. DeFiLlama data shows 64 related projects have been identified, but only 13 have a TVL exceeding $100,000.
Image source: DeFiLlama
GMX has issued a warning on platform X, calling for these projects to immediately take countermeasures, including disabling leverage functions and pausing the minting of GLP tokens to prevent similar attacks from happening again.
Circle's slow response ignites public anger
In this attack incident, the stablecoin issuer Circle also faced criticism, as its response speed was considered 'too slow' by the community. Several users pointed out that Circle had the opportunity to blacklist the hacker's address and freeze over $9 million in stolen USDC but did not take any timely measures.
The attacker even used Circle's own cross-chain bridging tool CCTP to transfer 8 million USDC from Arbitrum to Ethereum, then exchanged it for DAI. Despite this fund staying on-chain for 1-2 hours, Circle did not respond at all.
On-chain analyst ZachXBT also publicly criticized Circle's sluggishness, and this is not the first time ZachXBT has attacked Circle; he has repeatedly questioned Co-founder Jeremy Allaire on Twitter about why they are always 'a beat slow' at critical moments. For example, during the Bybit hack incident, Circle only froze the relevant addresses a day later.
GMX was a pioneer in decentralized perpetual contract trading platforms, leading a golden trend. Looking back at the development of this sector, the first generation project DYDX once flourished, but now struggles to escape silence, while Perpetual Protocol is nearly 'extinct'; the second-generation project GMX was severely damaged by hacker attacks; today, only the third-generation project Hyperliquid is rising strongly, dominating the scene.
The market landscape is ever-changing; security and evolution are the perpetual paths for projects.
