GMX suffered an attack.The attacker exploited a reentrancy vulnerability in the project contract and made a profit of approximately US$42 million. The Beosin security team conducted a vulnerability analysis and fund tracking for this attack, and shared the results as follows:
The attacker first exploited the margin refund mechanism in the executeDecreaseOrder function in the OrderBook contract, and launched a reentrancy attack to bypass the Timelocklever switch of the contract:
Then, the attacker borrowed USDC through flash loans to pledge and mint GLP, and at the same time increased BTC short positions with USDC as margin, causing the AUM value of the GLPmanager contract to be artificially high. The calculation of this value will affect the price of GLP.
Finally, the attacker redeemed GLP at an abnormal price for profit and specified that it be exchanged for other tokens.
Through the above attack process, we can see that the reasons for the vulnerability exploitation of the entire incident are as follows:
- Lack of reentrancy protection, resulting in reentry and modification of internal states during the redemption process.
- The redemption logic is relatively complex and lacks sufficient security checks.
Although GMX has undergone multiple security audits, this reentrancy vulnerability was still ignored. If the redemption logic is checked more strictly and possible reentrancy vulnerabilities are taken into account, such security incidents may be avoided. Stolen funds tracking Beosin Trace tracked the stolen funds and found that the attacker's address 0x7d3bd50336f64b7a473c51f54e7f0bd6771cc355 made a profit of about 42 million US dollars. The DeFi protocol then exchanged stablecoins and altcoins into ETH and USDC, and transferred the stolen assets to the Ethereum network through multiple cross-chain protocols. Currently, about 32 million ETH worth of the stolen assets are stored in the following four Ethereum network addresses:
- 0xe9ad5a0f2697a3cf75ffa7328bda93dbaef7f7e7
- 0x69c965e164fa60e37a851aa5cd82b13ae39c1d95
- 0xa33fcbe3b84fb8393690d1e994b6a6adc256d8a3
- 0x639cd2fc24ec06be64aaf94eb89392bea98a6605
Approximately $10 million in assets are deposited at the address of the Arbitrum network0xdf3340a436c27655ba62f8281565c9925c3a5221. Beosin Trace has added the hacker's related addresses to the black address database and will continue to track them in the future.
According to Beosin Trace analysis, all stolen funds are still stored in multiple addresses of the attacker
The core of this attack is that the GMX contract has a reentrancy vulnerability, which allows the attacker to redeem a large amount of assets for profit through the false increase in AUM value. Complex DeFi protocols like GMX require comprehensive and multi-level security audits to thoroughly test and review the contract code. Previously, the Beosin security team has completed security audits of multiple DeFi protocols (such as Surf Protocol, SyncSwap, LeverFi, and Owlto Finance), focusing on discovering contract logic defects and extreme situations that may be overlooked, ensuring that DeFi protocols are fully tested.
Singapore has become a top crypto hub in 2024 by issuing more licenses and offering clear, supportive regulations, attracting major global players. In contrast, Hong Kong faces delays and restrictive policies, causing challenges for its crypto industry.
AnaisAre North Korean hackers targeting Hyperliquid? While researchers suggest so, Hyperliquid Labs denies any exploit, assuring funds are secure as the HYPE token recovers. Are community fears justified?
CatherineCrypto.com launched a CFTC-regulated trading feature in the U.S. that lets users predict sports outcomes, starting with the Super Bowl. To celebrate, it offers $1 million in rewards and new user bonuses.
WeatherlyIn 2023, the wallet provider suffered a $100 million hack, leading to lawsuits. It is now among several crypto firms banned from operating in Malaysia.
KikyoDo Kwon’s appeal against his extradition to South Korea has been rejected by Montenegro’s Constitutional Court, reaffirming claims by the US and South Korea. With legal options narrowing, what defense strategies remain for the Terraform Labs co-founder?
CatherineChillguy (CHILLGUY) has dropped in value amidst plagiarism allegations involving its meme. Phillip Banks, the alleged creator, hinted at his authorship, while others claim the image may have been AI-manipulated. The debate continues: who truly created the meme?
KikyoApeX Protocol’s composite index ranks the top ten countries in blockchain and cryptocurrency innovation, factoring in patents, jobs, and crypto exchanges. Singapore leads, followed by Hong Kong and Estonia.
CatherineAnimoca Brands alerted investors about a fake ANIMOCA token after a co-founder’s account was hacked. The fraudulent token spiked in value before posts were deleted, revealing a vulnerability. This follows a series of recent hacks.
KikyoBelgian artist Carl De Keyzer used photos from his Russia travels to create AI images for his book Putin’s Dream. Sharing them on Instagram sparked backlash and follower loss over questions of ethics and authenticity.
CatherineNetflix’s release of Squid Game Season 2 sparked a surge in similarly named tokens, echoing the scams that burned investors during Season 1. With Season 3 on the horizon, will it trigger another wave of speculative tokens and fraud?
Catherine