Hacker returns the money after exploiting 40 million USD from GMX

The attacker behind the $40 million exploit from the decentralized derivatives trading exchange GMX has begun to return funds after apparently accepting a $5 million bug bounty from the project.

The attack targeted the GLP V1 pool of GMX on Arbitrum, taking away more than 40 million USD in various cryptocurrencies such as USDC, FRAX, WBTC, and WETH. GMX immediately suspended trading and minting of V1 on both Arbitrum and Avalanche. GMX V2 and the GMX token were not affected.

After the onchain message committing to a 10% reward and no legal action if the attacker returns within 48 hours, the hacker responded: "ok, funds will be returned later". Shortly after, the hacker's address returned a total of 10.5 million FRAX to GMX, according to PeckShield.

The GMX token fell to a low of $10.45 (-28%) after the incident but has recovered 14% to $13.25 following news that the hacker has begun to return the funds.

The technical report confirms the attack exploiting the re-entrancy vulnerability in the OrderBook contract to manipulate the short BTC price and profit from GLP. GMX stated that it will stop minting/redemption of GLP V1 on Arbitrum, refund affected users, and open a DAO discussion on the next steps.