A massive $42 million hack rocked the DeFi world on July 9, 2025, when an unknown attacker exploited GMX’s cross-chain functionality. The vulnerability allowed the hacker to mint and redeem GLP tokens excessively, basically withdrawing more assets than they’d deposited. Talk about a profitable day at the office.
Within hours, the attacker had bridged $9.6 million to Ethereum and converted it to DAI and ETH, probably while sipping a cocktail and laughing. GMX immediately slammed on the brakes, suspending V1 trading and all GLP mint/redeem functions on both Arbitrum and Avalanche networks. The team deployed Solidity contracts to patch the vulnerable components.
The security flaw? Turns out their smart contract business logic had some serious holes—especially around cross-chain operations and improper updating of global short average prices. This vulnerability was likely related to insufficient validation in GLP contracts that allowed the attacker to inflate their token balances. The root cause of the attack was identified by on-chain security firm SlowMist as a design flaw in GMX V1 architecture. Who would’ve thought that asynchronous vault logic might cause problems? Everyone except the developers, apparently.
Smart contracts that don’t account for cross-chain chaos are just money piñatas waiting for someone with a big enough stick.
The fallout was swift and painful. GMX token price tanked 15-20% within 24 hours. Trading volume crashed. And just like that, GMX joined the not-so-exclusive club of major 2025 DeFi hacks alongside Bybit and Cetus DEX.
The GMX team didn’t waste time. They disabled affected protocol functions, sent on-chain alerts, and even tried communicating with the attacker via blockchain message. They offered a white-hat bounty: 10% of stolen funds and no legal action if returned within 48 hours. Surprisingly, it worked—mostly.
The exploiter returned the majority of assets after some negotiation. First came $10.4 million in stablecoins, then 10,000 ETH and more. In total, about $40.5 million made its way back to GMX. The thief still kept roughly 1,700 ETH worth $5.1 million. Finder’s fee, perhaps?
This hack has reignited debates about cross-chain security and audit coverage gaps. The 2025 DeFi landscape is littered with similar attacks targeting vault logic implementations. Same story, different protocol. When will they learn?
