GMX Exploiter Starts Returning $40M in Crypto After Accepting $5M Bounty
Este artículo fue publicado originalmente aquí
The hacker behind this week’s $40 million exploit of decentralized exchange GMX has begun returning stolen funds, days after the protocol offered a $5 million bounty and promised no legal action if most of the crypto was sent back.
The breach targeted GMX’s V1 liquidity pool on Arbitrum, draining a mix of assets including USDC, FRAX, WBTC, and WETH. The attack, triggered by a re-entrancy bug in the platform’s OrderBook contract, allowed the exploiter to manipulate short positions on BTC, inflate the price of GLP tokens, and cash out with a hefty profit. GMX responded by freezing all V1 trading and minting on both Arbitrum and Avalanche.
On Friday, the attacker responded to GMX’s onchain bounty message with a blunt reply: “ok, funds will be returned later.” Blockchain analytics firm PeckShield flagged the message and confirmed the exploiter had returned $5.5 million in FRAX, followed by another $5 million shortly after. ETH transfers totaling around $30 million were also tracked back to GMX’s deployer address.
The hacker had 48 hours to comply or face legal action. GMX’s public bounty offer, equal to 10% of the stolen sum, remains available from its treasury.
In the aftermath, GMX’s token dropped 28% but rebounded around 14% on Friday as the funds began to trickle back. It was last trading at $13.25.
The GMX team published a post-mortem on Thursday, confirming that V1 was hit by a re-entrancy vulnerability and that V2 operations were unaffected. Going forward, the team said minting and redeeming GLP on Arbitrum will be disabled, and remaining funds will go toward reimbursing affected users. A DAO vote is expected to decide on further compensation measures.
The GMX exploit is the latest reminder of the challenges facing DeFi protocols as they juggle complex codebases, real-world incentives, and increasingly professional attackers. Still, the outcome here appears headed for a relatively peaceful resolution—albeit one that cost GMX millions and a reputational bruise.