How a Simple Short Turned GMX into a $40M ATM

On July 10, the decentralized perpetual exchange GMX suffered an exploit on its V1 liquidity pool on Arbitrum, resulting in over $40 million being drained.

GMX immediately issued a public notice:

• 「The exploit only affects V1 and its GLP liquidity pool. V2 and the GMX token are unaffected.」
• 「Trading on GMX V1, and the minting and redeeming of GLP, have been paused to prevent further damage.」

At first glance, it might sound like a familiar case of smart contract vulnerabilities — but this one was far more subtle.

The attacker didn’t break any rules. No permissions were bypassed. No complex tooling was used.

They simply interacted with the system as intended — and turned GMX’s design into a money printer.

---

What actually happened? 

There was a structural issue in how GMX calculated the price of GLP. The update of the price and balance wasn’t properly sequenced. Every time someone opened a short position, it would instantly affect the 「global short average price」 — which in turn changed the platform’s AUM (Assets Under Management). Since GLP’s price is tied to AUM, this meant each short could shift the GLP price, even within a single transaction.

The attacker exploited this by using the GMX Keeper — an off-chain automation bot that executes user trades — to repeatedly call a specific function, rapidly simulating large-scale shorting.
This created an inflated 「average price」 for shorts inside a single transaction. At that moment, the attacker redeemed GLP, which was still priced based on the artificially raised AUM.

「Deposit -> Inflate average short price -> GLP price increases -> Redeem -> Profit」

It all happened in one atomic transaction.
No permissions bypassed.

Just a chain of legitimate operations exploiting the design itself.

---

Where exactly is the problem? 

The most unsettling part is this:
There was no error thrown. The contracts were audited. The attacker didn’t violate any rules.

But GMX V1’s design — where position changes immediately affect global asset valuation — left it wide open to this type of manipulation. It allowed someone to:

「Move fast enough to fabricate value, then exit before the system catches up.」

Everything the attacker did was permitted — and yet, it caused massive withdrawal pressure and ultimately drained value from the pool.

This is a textbook example of a 「mechanism-level attack」 — not a code exploit, but a flaw in protocol logic and assumptions.

---

GMX’s response

GMX quickly halted trading, minting, and redeeming of GLP on V1. GLP holders cannot redeem tokens until further notice.

The team emphasized:

• The vulnerability is limited to V1’s GLP pool
• V2, the GMX token, and other products are unaffected
• Security has always been a top priority, with multiple audits completed
• The flaw lies not in implementation, but in pricing logic design

GMX is now working closely with its security partners to fully investigate the root cause and explore remediation and compensation options.

They’ve also warned all forks of GMX V1:

• Disable leverage immediately
• Halt GLP minting
• You may share the same underlying vulnerability

A full incident report is expected once the investigation concludes.

---

What does this mean for users?

For many, the immediate reaction is fear:
Should I pull funds? Will GMX cover losses? Is there a safer alternative?

But the deeper question is:
Do you actually understand how your DeFi protocol computes value?

• What is GLP? A liquidity token
• What determines its price? AUM
• What determines AUM? Unrealized PnL
• What drives PnL? Global short average price
• Who updates that price? In this case, the attacker

Every dollar you earn on-chain is built on some ruleset.
But if those rules can be exploited, your earnings — your deposits — may be vulnerable.

The real risk in DeFi isn’t always a hacker in the shadows.
Sometimes, it’s the assumptions baked into the code you trust.