On July 9, 2025, the decentralized exchange GMX was hit by a hack that resulted in the theft of $42 million from its GLP liquidity pool on Arbitrum. The incident exposes vulnerabilities within the DeFi space.
The Exploit and Role of CrowSwap
The attacker exploited a reentrancy vulnerability to mint unauthorized GLP tokens, draining various assets such as ETH, LINK, UNI, DAI, USDC, FRAX, and WBTC. The hacker utilized flash loans to manipulate the GMX GLP pool, extracting $32 million from Arbitrum and bridging $9.6 million to Ethereum. On-chain data indicates that the hacker converted $9.75 million in USDC and $1.34 million in DAI into ETH via CrowSwap, raising questions about the platform’s role in facilitating the laundering of stolen funds.
GMX’s Response
In response to the incident, GMX halted V1 trading and disabled GLP minting/redemption on Arbitrum and Avalanche to limit further losses. The team offered a 10% white-hat bounty ($4.2 million) if 90% of the funds are returned within 48 hours and promised to conduct a detailed post-mortem. The hack led to a more than 20% drop in GMX’s token price, falling to $11.11.
Implications for DeFi
The GMX exploit highlights ongoing security challenges in DeFi, particularly around smart contract vulnerabilities and cross-chain risks. CrowSwap’s involvement amplifies concerns regarding the susceptibility of decentralized exchanges to misuse. As investigations continue, the DeFi community awaits updates on fund recovery and CrowSwap’s response to its role in the laundering process.
The GMX incident serves as a vital lesson on the need for improved security within the DeFi environment and the importance of robust measures against fraud on decentralized platforms.