GMX Exploit Nets Hacker $5 Million “Bounty” After $40 Million Heist

- The GMX hacker returned the full US$40M stolen, slightly more due to market gains, and is expected to keep a US$5M bounty under a white hat agreement.
- The exploit targeted a pricing flaw in GMX v1’s GLP liquidity pool on Arbitrum, allowing the attacker to manipulate asset valuations and drain funds.
- GMX offered the 10% bounty to avoid legal action; the attacker complied, and a full post-mortem has since been published outlining the flaw and mitigation steps.
The hacker behind the US$40M (AU$60.7M) GMX hack has now returned all stolen funds and will likely walk away with a US$5M (AU$7.6M) bounty, according to blockchain data and statements from the protocol.
“Ok, funds will be returned later,” the hacker said. Security firm PeckShield confirmed that the stolen money had been returned by Friday, slightly exceeding the original stolen amount due to market gains, with Bitcoin hitting new highs, and Ethereum crossing US$3K (AU$4.5K) for the first time in months.
Related: XRP, DOGE and SOL: Thumzup Board Greenlights Crypto Expansion Beyond Bitcoin
How the Attack Unfolded
The exploit targeted GMX v1’s liquidity pool on Arbitrum, using a pricing flaw tied to GLP token mechanics. The attacker manipulated value calculations to drain multiple assets from the system, according to blockchain data.
In response, GMX posted a public statement offering the attacker 10% of the stolen funds as a white hat bounty if 90% was returned. The protocol stated that the offer was a way to avoid a legal ultimatum for the attacker and allow them to retain the funds without any risk.
It looks like the attacker accepted and complied, transferring funds to a wallet controlled by GMX’s security team.
The DEX published a full post-mortem on Thursday outlining the reentrancy flaw, its impact on GLP pricing mechanics, and ongoing mitigation steps. No further attacker communications have been recorded since the final return transaction.
“The white hat bug bounty of $5 million continues to be available. We’re prepared to confirm the legitimacy of these funds for your future use,” GMX stated
Related: Matt Hougan: Tokenisation – Wall Street’s Next Trillion-Dollar Revolution