GMX Faces Major Security Vulnerability, Loss Exceeds $40 Million

Recently, a hacker attack incident targeting a decentralized trading platform has attracted widespread attention in the industry. The attacker exploited a reentrancy vulnerability to open short positions while the contract had leverage functionality enabled, successfully stealing over 40 million dollars in assets from the platform.

The core issue of this attack lies in the improper use of the executeDecreaseOrder function. The function was originally designed to take the external account (EOA) as the first parameter, but the attacker cleverly passed in a smart contract address. This allowed the attacker to repeatedly enter the system during the asset redemption process, manipulating the internal state and ultimately obtaining assets far exceeding the actual value of the GLP they held.

Under normal circumstances, the platform's GLP tokens represent the user's share of various assets in the liquidity pool ( such as USDC, ETH, WBTC, etc. When users redeem GLP, the system calculates the amount of assets to be returned based on the current total assets under management ) AUM ( and the proportion of GLP held by the user. The calculation of AUM involves multiple factors, including the total value of all token pools, the unrealized gains and losses of global short positions, etc.

However, when the platform enabled leverage trading, this mechanism exposed a fatal weakness. The attacker opened a large short position in WBTC before redeeming GLP. Since the system considers unrealized losses as "assets" when calculating AUM, this artificially inflated the AUM, even though the treasury did not gain any additional value. The redemption calculation based on this inflated AUM allowed the attacker to obtain assets exceeding their entitled share.

![Loss exceeds 40 million USD, analysis of the GMX hacking incident principle])https://img-cdn.gateio.im/webp-social/moments-a3f421784982dfc8b3ed7e41716befeb.webp(

This incident exposed serious flaws in the platform's design of the leverage mechanism and implementation of reentrancy protection. The main issue lies in the asset redemption logic's excessive reliance on the AUM value, without sufficient security verification of its components such as unrealized losses ). At the same time, the key functions lack mandatory checks on the identity of the callers.

This security incident once again serves as a warning to DeFi developers that they must ensure that the system's state is not manipulated externally when handling sensitive financial operations. This is particularly crucial when introducing complex financial logics such as leveraged trading and derivatives, where strict precautions against reentrancy attacks and state contamination must be taken to mitigate systemic risks. All parties in the industry should learn from this incident, strengthen the security auditing and risk management of smart contracts, and maintain the healthy development of the decentralized finance ecosystem.