On July 9, 2025, decentralized perpetual futures platform GMX suffered a $42 million exploit. Yet, in a surprising turn, the hacker returned almost the entire haul within 48 hours—after negotiations and a bounty offer from the GMX team. The unusual outcome invites speculation about the changing nature of DeFi security, and the importance of financial disincentives in preventing long term damage.
The Heist: Where $42M Went
The attack did not target GMX directly but rather the GLP liquidity pool on Arbitrum on GMX’s Version 1. The attacker was able to execute a complicated reentrancy exploit, and exploited the Global AUM to inflate both the token- and pool-value of GLP tokens. The attacker exploited information asymmetry by minting and redeeming GLP tokens at an inflated price when they withdrew GMX’s liquidity pool. The attacker drained GMX’s liquidity pool (an estimated $42 million) including stablecoins, wrapped BTC/ETH, DAI, and FRAX.
Hack to Healed: An On Chain Negotiation
Shortly after the hack, GMX published an on chain message offering a 10% white hat bounty (around $4–5 million) in exchange for full—or near-full—return of the stolen assets within 48 hours.
At 07:29 am London time on Friday, the exploiter replied via blockchain: “Ok, funds will be returned later.” And return they did—starting at 09:08 am. The hacker sent $10.4 million in stablecoins, followed by 10,000 ETH and additional assets, amounting to roughly $40.5 million.
Bounty or Ethics? A Mystery Incentive
Whether the hacker took the full 10% bounty remains unclear—but the numbers suggest a profit was made. Ether’s 14% rise in value during the window likely netted the exploiter an extra $3–5 million. By returning over 90% of the funds, the hacker avoided legal reprisals and still walked away with a tidy gain.
GMX’s Damage Control
After the exploit, GMX suspended V1 activities on both Arbitrum and Avalanche, stopped minting GLP tokens, and encouraged forked protocols to immediately address similar vulnerabilities. The GMX native token, GMX, dropped ~28% first to $10.45 but was ~14% higher again once the return was established—indicating some level of faith had been restored among investors. The Exploit Some security auditors, including SlowMist and SolidityScan, were able to conduct thorough forensic assessments. They determined that the exploit was based on calling executeDecreaseOrder() with a malicious contract. This called the fallback function and allowed reentrancy to occur when funds were refunded. The perpetrator was able to take advantage of a timing issue in the getAum() function, a lag in pricing short positions, which resulted in increasing the value of GLP redemptions. GMX has noted that Version 2 was safe, and that the token structure was also safe, because the vulnerability was only relevant in V1.
Why this is Important
- Unbelievably unique white hat outcome: Most DeFi hacks result in permanent losses, but in the GMX hack, the hacker’s choice to voluntarily return the funds, due to financial incentives, is only one of a few circumstances in recent times (like Euler Finance in 2023).
- Bugs using legacy code: While DeFi continues to improve, mature or older contracts like GMX V1 remain susceptible to new hacks. Other platforms that deployed their code via V1 urgently need to conduct audits and update their code.
- Maturity of a playbook for crisis: This incident provides evidence that under certain conditions, a bounty strategy is more favorable than legal recourse in regards to recovering stolen funds and limiting reputational impact.
Next Steps
GMX is working on a plan to compensate users impacted by the hack, while its governance functions are deliberating at length about how to respond. The whole DeFi ecosystem is watching. Is the DAO model for crisis management about to adopt bounties? Can this model be standardized?
This incident is a good reminder: hacks can happen, but the technical response that happens after, along with creative incentive strategies could lead to a new way to manage crisis playbooks for decentralized finance.
