BlockSec: GMX Attack Principle Analysis
TechFlow Selected TechFlow Selected
BlockSec: GMX Attack Principle Analysis
This attack exposed serious flaws in GMX's leverage mechanism and reentrancy protection design.
Navigating Web3 tides with focused insightsAuthor: BlockSec
GMX was hacked, resulting in losses exceeding $40 million. The attacker exploited a reentrancy vulnerability and initiated short positions while leverage functionality was enabled in the contract to carry out the attack.
The root of the issue lies in the incorrect use of the executeDecreaseOrder function. The first parameter of this function is intended to be an externally owned account (EOA), but the attacker passed in a smart contract address instead. This allowed the attacker to re-enter the system during the redemption process, manipulate internal states, and ultimately redeem assets far exceeding the actual value of GLP they held.
Normal GLP Redemption Mechanism
In GMX, GLP is a liquidity provider token representing a share of vault assets (such as USDC, ETH, WBTC). When a user calls unstakeAndRedeemGlp, the system calculates the amount of assets to return using the following formula:
redeem_amount = (user_GLP / total_GLP_supply) * AUM
Where AUM (Assets Under Management) is calculated as:
AUM = Total value of all token pools + Global unrealized losses on shorts - Global unrealized gains on shorts - Reserved amounts - Preset deduction (aumDeduction)
This mechanism ensures that GLP holders receive their proportional share of the vault's actual assets.
Problems Introduced by Leverage
When enableLeverage is enabled, users can open leveraged positions (long or short). Prior to redeeming GLP, the attacker opened a large WBTC short position.
Opening a short increases the size of global short positions. Since prices had not yet moved, the system initially treats this new short as being at a loss. This unrealized loss is counted as part of the vault’s "assets," artificially inflating the AUM. Although the vault does not actually gain any additional value, the redemption calculation uses this inflated AUM, allowing the attacker to withdraw significantly more assets than they were entitled to.
Attack Flow
Attack transaction:
https://app.blocksec.com/explorer/tx/arbitrum/0x03182d3f0956a91c4e4c8f225bbc7975f9434fab042228c7acdc5ec9a32626ef?line=93
Conclusion
This attack exposed critical flaws in GMX's design regarding leverage mechanisms and reentrancy protection. The core problem stems from excessive trust in AUM within the asset redemption logic, without sufficient security validation on its components—particularly unrealized losses. Additionally, the assumption about caller identity in key functions (EOA vs. contract) lacked mandatory verification. This incident serves as another reminder to developers: when implementing financial-sensitive operations, systems must ensure state cannot be manipulated—especially when introducing complex financial logic such as leverage and derivatives, where risks from reentrancy and state pollution must be rigorously guarded against.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@BlockSecTeam
