Hacked Perp DEX GMX to Repay $44M to Arbitrum GLP Holders After Exploit

Decentralized perpetuals exchange GMX said Wednesday that users hit by last month’s security breach can now claim compensation through its dApp.

“About $44 million in value is being distributed, making all impacted Arbitrum GLP holders whole and marking a favorable resolution to the security challenge GMX faced,” the project said.

The payout combines recovered funds with $2 million from GMX’s treasury.

GMX V1 Exploit Drains $42M via AUM Manipulation Vulnerability

The incident occurred on July 9, when GMX V1’s GLP pool on Arbitrum was exploited for $42 million.

At the time, blockchain security firm PeckShield attributed the loss to a reentrancy vulnerability that let the attacker manipulate the protocol’s assets-under-management (AUM) calculations, enabling them to withdraw more than their deposits.

GMX also confirmed that the $42 million exploit was caused by a re-entrancy vulnerability within its V1 contracts.

Although the affected function was protected by a nonReentrant modifier, it only applied within the same contract, allowing the attacker to bypass this safeguard and manipulate the BTC average short price through the Vault contract.

By exploiting this loophole, the attacker artificially drove the GLP price up and profited by redeeming inflated GLP tokens after opening a large position using a flash loan.

The vulnerability was tied to how GMX V1 handled pricing calculations across separate contracts, a structure that has been revised in GMX V2, where calculations and executions now occur within the same contract to avoid such risks.

In response, GMX paused trading on Avalanche, engaged with security partners and major infrastructure providers, and initiated direct on-chain communication with the exploiter.

Hours after the breach, GMX sent an on-chain message offering a 10% white-hat bounty if 90% of the stolen funds were returned, an offer the attacker accepted.

Compensation will be issued in GLV, GMX’s upgraded liquidity vault product for V2. Eligible claimants will receive equal portions of GLV [BTC-USDC] and GLV [WETH-USDC], reflecting roughly 25% Bitcoin, 25% Ether, and 50% stablecoins, mirroring the original GLP asset mix.

In addition, GMX has launched a $500,000 GLV incentive pool for users who hold their distributed GLV for at least three months without selling or transferring, offering pro-rata rewards to long-term holders.

Crypto Hacks, Scams Cost Investors $2.2B in H1 2025: CertiK

Crypto investors lost over $2.2 billion to hacks, scams, and breaches in the first half of 2025, driven largely by wallet compromises and phishing attacks, according to CertiK’s latest security report.

Wallet breaches alone caused $1.7 billion in losses across just 34 incidents, while phishing scams accounted for over $410 million across 132 attacks.

Two major incidents, including Bybit’s $1.5 billion hack in February and Cetus Protocol’s $225 million exploit in May, skewed the year’s losses upward, together accounting for nearly $1.78 billion.

Without these, losses align more closely with previous years at around $690 million.

Ethereum remained the primary target, suffering over $1.6 billion in losses across 175 events.

The report also pointed to rising sophistication of phishing schemes and ongoing risks from social engineering, urging crypto users to verify links, avoid suspicious sites, and use hardware wallets.

The post Hacked Perp DEX GMX to Repay $44M to Arbitrum GLP Holders After Exploit appeared first on Cryptonews.