Decentralized perpetual exchange GMX has halted all trading activity on its GMX V1 protocol after an exploit resulted in the theft of approximately $40 million. The attacker siphoned funds from a key liquidity pool and transferred them to an unidentified wallet, the team confirmed on Wednesday.
Vulnerability Linked to GLP Liquidity Pool
The exploited liquidity pool underpins GMX V1 on the Arbitrum network and holds a mix of digital assets, including Bitcoin (BTC), Ether (ETH), and stablecoins. These assets form the basis for the GLP token, a core component of GMX’s trading infrastructure.
Blockchain security firm SlowMist identified the root cause as a design flaw in the calculation of the platform’s total assets under management. This allowed the attacker to manipulate the GLP token price and execute the exploit.
GLP Minting and Redemption Suspended Across Networks
In response, the GMX team has temporarily disabled the minting and redemption of GLP tokens on both Arbitrum and Avalanche, a Layer-1 network also supporting the protocol. This move aims to prevent further damage while the team investigates the full scope of the breach.
Users have been advised to disable leverage and stop GLP minting via their individual settings to mitigate any potential risk.
GMX V2 and Core Token Remain Unaffected
GMX emphasized that the incident is isolated to GMX V1 and does not impact the GMX V2 protocol, its associated markets or liquidity pools, nor the GMX governance token. “Based on the available information, the vulnerability is limited to GMX V1 and its GLP pool,” the team stated.
Further updates are expected as the investigation continues and the team works to reinforce security measures.
