Overview

On July 9, 2025, the decentralized perpetual exchange GMX suffered a major security breach, resulting in the theft of approximately $42 million in crypto assets from its GMX v1 protocol on the Arbitrum blockchain.

Background on GMX Protocol

GMX is a decentralized exchange (DEX) that enables users to trade both spot and perpetual futures for cryptocurrencies such as Bitcoin, Ethereum, and Avalanche directly from their own wallets, without relying on centralized intermediaries. The platform operates primarily on the Arbitrum and Avalanche blockchains, offering high leverage and low trading fees.

Technical Analysis of the Exploit

Incident Overview

Date: Jul 9, 2025

Attacker Address: 0xdf3340a436c27655ba62f8281565c9925c3a5221

Attack Contract: 0x7d3bd50336f64b7a473c51f54e7f0bd6771cc355

Attack Transaction: 0x03182d3f0956a91c4e4c8f225bbc7975f9434fab042228c7acdc5ec9a32626ef

Root Cause

1. Vulnerability in the Calculation of globalShortAveragePrices in the ShortTracker Contract.

   The total size of existing short positions was approximately $15K—a relatively small amount—which allowed the attacker to repeatedly create large short BTC positions and place orders to close them. This manipulation caused the average short price to drop to a value 57 times lower than its actual market value.

2. Exploitation of Smart Contract to Bypass Direct increasePosition Calls to the Vault contract.

   The attacker deployed a smart contract as the position owner and customized its fallback logic. When the GMX Keeper executed a decrease order, this logic bypassed the validation in the increasePosition function of the Vault contract.

Attack Flow

The attacker orchestrated a sophisticated exploit involving multiple steps to drain funds from the protocol:

1. Set up the reentrancy exploit to directly call the increasePosition function in the Vault contract.

2. Repeatedly created large short BTC positions and placed close orders, aiming to manipulate the globalShortAveragePrices value in the ShortTracker contract.

3. Once globalShortAveragePrices was sufficiently reduced, the attacker used a flash loan to stake GLP and open a large short position to manipulate the GLP price. They then executed unstakeAndRedeemGlp to collect the profit.

In-Depth Breakdown:

The attacker deployed the exploit contract, then proceeded to place two orders: one to open a position and another to decrease the position via the newly created exploit contract. These orders were subsequently executed by the GMX Keeper.

Once the Keeper called the executeDecreaseOrder function in the PositionManager contract, this triggered the enableLeverage function in the Timelock contract, which allowed the exploit contract to directly call increasePosition in the Vault contract.

Next, the attacker executed a loop of actions (5 times) that involved opening short BTC positions with large volumes and then placing orders to close these short positions. This systematic process was designed to manipulate the globalShortAveragePrices value in the ShortTracker contract.

When the increasePosition function in the Vault contract is called, it updates the values of globalShortAveragePrices and globalShortSizes. In the first iteration, the attacker placed a short BTC position with a volume of approximately $90,030. This action caused the globalShortSizes to increase from roughly $15,385 to $105,415.

How can these actions manipulate the value of globalShortAveragePrices?

When a new short BTC position is opened and a decrease order is executed, it updates the globalShortSizes and recalculates the value of globalShortAveragePrices. The vulnerability existed because the current value of globalShortSizes for BTC was only ~$15,385—relatively small—allowing the attacker to significantly impact the average short price calculation by opening large short positions. Through this exploitation, the attacker systematically manipulated the average short price from $108,757 to $104,766, then to $85,421, followed by $40,173, then $9,881, and finally down to $1,913.

With a position volume of approximately $80,000-$100,000, the delta was significantly larger than the _nextSize (roughly $15,000 after closing the short position). This size disparity allowed the attacker to manipulate the next average short price.

Once the globalShortAveragePrices was sufficiently reduced, the attacker proceeded to maximize profits through a flash loan. The attacker first obtained approximately $7.5M USDC through a flash loan. From this amount, they used $6M to execute mintAndStakeGlp in the RewardRouterV2 contract and utilized the remaining funds to open a large-volume short BTC position.

When the large-volume short BTC position was executed, the Vault contract immediately increased the globalShortSizes to the new value. After that, the attacker executed unstakeAndRedeemGlp to unstake and redeem rewards from staking GLP tokens.

At the time unstakeAndRedeemGlp executed, the globalShortAveragePrices in the ShortTracker contract was approximately $1,913. This extremely low value caused the system to record that the position had a large loss amount. As a result, the AUM (Assets Under Management - used in reward calculation for staking GLP tokens) value in the GlpManager contract artificially increased, enabling the attacker to redeem their tokens and receive significantly more assets than they should have. Finally, the attacker took a total profit of approximately $42M from the exploit.

Conclusion

The two main reasons for this exploit:

• The mechanism that allowed the attacker to bypass validation and directly call the increasePosition function

• The flawed globalShortAveragePrices calculation in the ShortTracker contract, which enabled manipulation through short positions with values significantly larger than the total short size (~$15K)

Based on this exploit, here are key security recommendations:

• Implement robust reentrancy guards for all critical functions.

• Delayed mechanisms for staking and unstaking.

• Implement mechanisms to monitor critical statistics such as price, global short size, and other key parameters.