In July 2025, the GMX v1 perpetuals protocol on Arbitrum was exploited for roughly $42 million through a flaw in its GLP liquidity-token pricing logic. The attacker returned the bulk of the funds within days in exchange for a public white-hat bounty.
What happened
GMX v1 used GLP, a multi-asset basket token, as the counterparty for its perpetual positions. GLP's price was calculated from the aggregated value of the underlying basket, with adjustments for open trader PnL.
The attacker exploited a gap in how this calculation interacted with state changes triggered during the same transaction. By opening, modifying, or closing positions in a specific sequence inside a single call, the attacker could push the protocol's accounting into a state where GLP redemption returned more value than its true backing supported.
Roughly $42M in assets was extracted across multiple transactions before the protocol paused.
Aftermath
- GMX governance offered a 10% white-hat bounty for the return of funds.
- The attacker accepted; approximately 90% of the drained funds were returned within a week, classifying the event as a (very expensive) white-hat operation by most measures.
- GMX v2, already live, was unaffected. GMX v1 was wound down and migrations to v2 accelerated.
Why it matters
GMX is one of a small set of 2025 exploits that ended with the attacker behaving as a (paid) white hat. The pattern is increasingly common at the $5M–$200M scale: protocols with on-chain visibility and well-resourced communities can sometimes make returning funds the path of least resistance. Above that scale — Bybit, Cetus, DMM — the funds typically go to laundering instead.
Sources & on-chain evidence
- [01]protos.comhttps://protos.com/2025s-biggest-crypto-hacks-from-exchange-breaches-to-defi-exploits/
- [02]halborn.comhttps://www.halborn.com/blog/post/year-in-review-the-biggest-defi-hacks-of-2025