GMX hacked for $42 million via GLP pool vulnerability

Decentralized exchange GMX became a victim of a hacker attack that caused $42 million in damage. The incident was promptly noticed by an onchain analyst under the pseudonym DeFi Cheetah, who recorded suspicious movements of funds from addresses associated with GMX V1.
The hacker withdrew assets from the Arbitrum network, which hosts the GLP pool of the first version of GMX. Some of the funds were transferred to the main ether, while some of the stablecoins were exchanged for other tokens. Among the withdrawn assets are USDC, DAI, ETH, WBTC, UNI and LINK.
GMX representatives confirmed the attack. According to them, the exploit affected exclusively the GLP pool in V1 on Arbitrum. In response to the incident, the team has suspended trading as well as the issuance and redemption of GLPs on both the Arbitrum and Avalanche networks. This decision was taken to prevent further losses and protect users.
The developers specified that GMX V2, its liquidity pools, and the native GMX token were not affected. The reasons for the vulnerability are not disclosed yet, but the team promised to provide a detailed report after the analysis is completed.
Amid the hack, the GMX token plummeted in price by 17%, falling from $15 to $11.4, according to CoinGecko data.
Earlier, in June, the Resupply protocol was also attacked – the attacker withdrew $9.5 million using a bug in the rate calculation mechanism.