GMX Hacker Returns $40M After Major Exploit, Token Surges
The hacker who drained over $40 million from GMX’s V1 contracts earlier this week has started returning the stolen funds, sending GMX’s token price sharply higher.
The attack exploited a reentrancy flaw in GMX’s OrderBook contract, allowing the perpetrator to manipulate BTC short positions, inflate the value of the platform’s GLP pool, and cash out significant profits in tokens like USDC, WBTC, WETH, and FRAX.
On Friday, the attacker posted an on-chain message saying, “ok, funds will be returned later.” Hours afterward, over $10.5 million in FRAX stablecoins was transferred back to GMX’s deployer wallet, as flagged by blockchain security firm PeckShield.
By day’s end, more than $40 million in assets—including roughly 9,000 ETH and 10.5 million FRAX—had been returned to the GMX Security Committee’s multisig wallet, according to blockchain analytics firm Lookonchain.
PeckShieldAlert (@PeckShieldAlert)
“#PeckShieldAlert #GMX Exploiter has returned a total of $37.5M worth of cryptos, including ~9K $ETH & 10.5M $FRAX to the #GMX Security Committee Multisig address.”
July 11, 2025
GMX’s token responded positively to the developments, jumping 13% over the past 24 hours to trade around $13.15.
In response to the hack, GMX had suspended all V1 trading and minting activities across both Arbitrum and Avalanche. The protocol offered a $5 million white-hat bounty—over 10% of the stolen funds—and promised no legal action if the attacker returned the full amount within 48 hours, a timeline that appears to have been met by Friday morning in Europe.
Reentrancy attacks remain one of DeFi’s most dangerous vulnerabilities, enabling hackers to repeatedly interact with smart contracts before a transaction completes, draining funds unexpectedly.
GMX’s swift action and significant fund recovery underscore the ongoing security challenges and rapid responses shaping the decentralized finance ecosystem.
