Losses exceeded $40 million, GMX hacking incident analysis

GMX suffered a hacker attack, resulting in losses of more than $40 million. The attacker exploited a reentrancy vulnerability and opened a short position while the leverage function of the contract was enabled.

The root of the problem lies in the incorrect use of the executeDecreaseOrder function. The first parameter of the function should have been an external account (EOA), but the attacker passed in a smart contract address. This allowed the attacker to re-enter the system during the redemption process, manipulate the internal state, and ultimately redeem assets far exceeding the actual value of the GLP they held.

GLP normal redemption mechanism

In GMX, GLP is a liquidity provider token that represents a share of treasury assets (such as USDC, ETH, WBTC). When a user calls unstakeAndRedeemGlp, the system uses the following formula to calculate the amount of assets that should be returned:

redeem_amount = (user_GLP / total_GLP_supply) * AUM

The calculation method of AUM (total assets under management) is:

AUM = Total value of all token pools + Global short unrealized losses - Global short unrealized profits - Reserved amount - Default deduction (aumDeduction)

This mechanism ensures that GLP holders receive a proportional share of the actual assets of the treasury.

Problems after leverage is enabled

When enableLeverage is turned on, users can open leveraged positions (long or short). The attacker opened a large WBTC short position before redeeming GLP.

Since the short position increases the global short size as soon as it is opened, the system assumes that the short position is losing money when the price has not changed, and this part of the unrealized loss will be counted as the "asset" of the vault, causing the AUM to artificially increase. Although the vault does not actually gain additional value, the redemption calculation will be based on this inflated AUM, allowing the attacker to obtain assets far exceeding what he deserves.

Attack Process

Attacking transactions

Written at the end

This attack exposed serious flaws in GMX's leverage mechanism and reentrancy protection design. The core problem is that the asset redemption logic places too much trust in AUM and does not conduct sufficiently prudent security checks on its components (such as unrealized losses). At the same time, key functions also lack mandatory verification of the caller's identity assumptions (EOA vs contract). This incident once again reminds developers that when it comes to sensitive operations involving funds, they must ensure that the system state cannot be manipulated, especially when introducing complex financial logic (such as leverage, derivatives), and they must strictly prevent systemic risks caused by reentrancy and state pollution.