As a result of an attack on the GMX V1 GLP pool, over $40 million was stolen, once again questioning the security of decentralized finance protocols. The protocol halted trading after the incident.
Overview of the GMX V1 GLP Attack
On July 9, 2023, GMX confirmed an attack on its V1 GLP pool on the Arbitrum platform, resulting in over $40 million worth of tokens stolen in a single transaction. The attacker manipulated the GLP vault mechanism, causing the protocol to halt trading and pause the minting and redeeming of GLP on both Arbitrum and Avalanche.
Exploitation Mechanism and Consequences
Experts believe that the attack was carried out by manipulating the leverage mechanism to mint excessive GLP tokens without proper collateral. By inflating their position, the attacker exchanged the fraudulently minted GLP for underlying assets, leaving the pool short over $40 million. The funds were swiftly moved using a malicious contract funded through Tornado Cash, with approximately $9.6 million bridged from Arbitrum to Ethereum and converted to DAI.
Security Issues in DeFi
GMX's contracts were audited by top firms like Quantstamp and ABDK Consulting, but no audits identified the vulnerability that allowed the leverage exploitation. This raises questions about the reliability of existing security measures in DeFi. Despite having a $5 million bug bounty program, the attack on GMX highlights that even the most secure protocols can be vulnerable to specific logical flaws.
The attack on GMX V1 GLP casts doubt on the effectiveness of audits in the DeFi space. This incident serves as a reminder of the risks faced by decentralized finance protocols and the need for improved security systems.
