GMX Releases $40 Million Vulnerability Exploitation Event Recap: Further Discussion on Compensation Measures

BlockBeats News, July 11, GMX officially released a summary report on the GMX V1 approximately $40 million exploit on Arbitrum.

Event Summary:

The attacker bypassed the PositionRouter and PositionManager contracts (usually responsible for calculating the average short price) by directly calling the Vault contract's increasePosition function through reentrancy;

Through manipulation, the attacker pushed the BTC average short price down from $109,505.77 to $1,913.70;

Using a flash loan, the attacker purchased GLP at a normal price of $1.45, opening a $15 million position;

Due to the manipulated price, the GLP price was pushed above $27, allowing the attacker to redeem GLP at a high price for profit;

GMX has confirmed that V2 does not have a similar vulnerability.

Next Step Funding Situation:

Approximately $3.6 million remains in the GLP pool, reserved for unclosed positions;

The cost of V1's GLP on Arbitrum this week is around $500,000 (excluding the 30% portion allocated to GMX stakers) and will be transferred to the DAO Treasury for compensation;

Will disable GLP minting and redemption on Arbitrum (redemption disablement requires a 24-hour Timelock);

Disable GLP minting on Avalanche but retain the redemption function;

Enable the closure of V1 positions on Arbitrum and Avalanche, disable opening positions to prevent a recurrence of the vulnerability;

Cancel V1 orders on Arbitrum and Avalanche. Remaining funds in the GLP pool on Arbitrum will be allocated to the compensation pool for use by affected GLP holders.

After the above steps are completed, the GMX DAO will discuss further compensation measures. It is recommended that all GMX V1 forks take immediate action, await fixes and audits before re-enabling trading and minting of GLP-like tokens.