TechFlow news, on July 10, SlowMist's Yu Xian posted on social media stating: "The fundamental reason for the $42 million GMX hack last night was that GMX v1 immediately updates the globalShortAveragePrices when handling short positions, and this global average price directly affects the calculation of total Assets Under Management (AUM), thereby enabling manipulation of the GLP token price.
The attacker exploited this design flaw by leveraging the timelock.enableLeverage feature used by Keepers during order execution—a necessary condition for creating large short orders—and successfully created a large short position via reentrancy to manipulate the global average price, artificially inflating the GLP price within a single transaction and profiting through redemption operations.
Doing DeFi is truly a high-risk endeavor. GMX is a very established decentralized perpetual trading platform, yet it still fell into a major pitfall this time. A 10% white-hat bounty may not be enough to entice the attacker…"





