How GMX V1 Lost $42 Million to a Reentrancy Attack?

GMX v1 is a leading perpetual exchange on Arbitrum with TVL over $400 million across different chains. GMX did its latest iteration to GMX v2 in August 2023. With that change, there were still funds locked in GMX v1 contracts, which fell prey to the recent exploit.

On July 9th, 2025, GMX v1 lost over $42 million to a reentrancy attack. The attacker exploited the platform logic to calculate AUM (Assets Under Management). On the bright side, the attacker returned all the funds, keeping the white-hat bounty of $5 million.

Hack Analysis and Its Impact

The root cause of the attack on the GMX V1 lies in the executeDecreaseOrder function.

In the usual flow, a user would call executeDecreaseOrder in the Position Manager contract, which is then further executed by the keeper bots in the GMX orderbook contract. During the function call, rather than EOA, the position is opened from the exploiter contract 0x7D3BD as the address. The malicious smart contract took over the execution flow, leading to a reentrancy vulnerability.

Let’s understand the above in detail that before calling the executeDecreaseOrder function in the orderbook (executed by the Keeper Bot), the contract updates the short data and enables leverage. When the function in the orderbook contract is called, the attacker’s contract gets refunded for the gas costs which caused the attacker’s contract to take over the flow.

When the attacker contract took over the flow, they called the increasePosition() function and opened a large short position on WBTC by calling it directly in the Vault contract.

In the normal call of increasePosition(), which goes through PositionRouter and PositionManager contracts, they ensure that the average short price is properly calculated.

The price of GLP (GMX Liquidity Provider Token) is dependent on the PnL, which is calculated based on the average short price, which got skipped due to reentrancy. Due to bypassing this calculation, the attacker was able to open positions and manipulate the global average short price for BTC downwards from $109,515.05 to $1913.705.

The attacker used a flash loan to purchase GLP at the price of $1.45, and the above manipulation led to a change in the value of AUM, which deviated the price of GLP and increased it to above $27. The attacker then redeemed the minted GLP at the inflated price.

GMX post mortem: https://x.com/GMX_IO/status/1943336664102756471

Relevant Addresses and Transactions

Attack Transaction: https://arbiscan.io/tx/0x03182d3f0956a91c4e4c8f225bbc7975f9434fab042228c7acdc5ec9a32626ef

Exploiter Address: 0xDF3340A436c27655bA62F8281565C9925C3a5221

Exploiter Contract: 0x7D3BD50336f64b7A473C51f54e7f0Bd6771cc355

GMX V1 Vault Contract: 0x489ee077994B6658eAfA855C308275EAd8097C4A

GLP Manager Contract: 0x321F653eED006AD1C29D174e17d96351BDe22649
 

Fund Flow Post Attack

The attacker moved funds across different wallets and later transferred ~$40 million back to the GMX Multisig wallet 0x8D1d2e24eC641eDC6a1ebe0F3aE7af0EBC573e0D, keeping the $5 million as a white-hat bounty.

How the Hack Could Have Been Prevented?

The reentrancy attack was only possible because the contract allowed the usage of the contract as the account parameter while calling the executeDecreasePosition . Checking the EOA for EIP-7702 type accounts or contracts having the code would have saved the protocol from this exploit.
 

Conclusion

GMX fell prey to a classic reentrancy vulnerability in its contract, losing $42 million from its GMX V1 contracts. These funds were all recovered within the first 48 hours of the attack, and the attacker was paid the bounty of $5 million. The attacker managed to manipulate the GLP price due to an issue in the internal accounting of the AUM.

At QuillAudits, with our 7+ years of experience and 1M+ lines audited, we aim to identify bugs like this and give suggestion to improve it. We follow a multi-layered auditing framework, which comprises our core team and an external team of researchers reviewing the contracts, adding an extra layer of scrutiny for the protocols.