On July 9, 2025, decentralized exchange GMX was hit by a $42 million hack, targeting its GLP liquidity pool on Arbitrum.
The Exploit and Role of CrowSwap
The attacker exploited a reentrancy vulnerability to mint unauthorized GLP tokens, draining assets including ETH, LINK, UNI, DAI, USDC, FRAX, and WBTC.
The hacker laundered a significant portion of the funds through CrowSwap, raising concerns about its role in facilitating illicit transactions. They used flash loans to manipulate GMX’s GLP pool, extracting $32 million from Arbitrum and bridging $9.6 million to Ethereum.
GMX's Response
Following the hack, GMX halted V1 trading and disabled GLP minting/redemption on Arbitrum and Avalanche to limit further losses. A 10% white-hat bounty of $4.2 million was offered if 90% of the funds were returned within 48 hours. The hack caused GMX's token price to drop over 20% to $11.11.
Implications for DeFi
The GMX exploit underscores persistent DeFi security challenges, particularly regarding smart contract vulnerabilities and cross-chain risks. CrowSwap’s involvement amplifies concerns about decentralized exchanges' susceptibility to misuse. As investigations continue, the DeFi community awaits updates on fund recovery and CrowSwap’s response regarding its role in the laundering process.
The GMX hack serves as an important reminder of the need to strengthen security in decentralized finance and focus on smart contracts to avoid such incidents in the future.