GMX, the Decentralized Exchange of Perpetual Contracts that works in the Arbitum and Avalanche networks, was exploited on July 9 by more than USD 60 million. According to Lookonchain, a platform that reviews chain events, the hacker returned 10 million dollars in Legacy Frax Dollar (Frax), a cryptocurrency anchored to the US dollar. It is estimated that this hacker could return at least 42 million in exchange for 5 million as a reward for “hunting” the error.
The Arbiscan Block Explorer confirms that the 10 million were returned to an arbitr -labeled contract like GMX Deployer. This account seems to have administrative privileges on the GMX platform, and surely belongs to the executives of the Perpetual Exchange. The entire GMX attack happened in Arbitrum, since a security alert prevented the same from happening in Avalanche.
With this return, the hacker It still has about 11,700 eth in possession from exploited contract. Since they fell into their hands, these currencies have generated unrealized profits of about 3 million in dollars, thanks to the price increase of Ether around 3 thousand dollars.
According to a GMX statementthe root cause of the exploitation was an attack of reentred to the next Smart contract.
Although this function has the Nonreentrant modifier to protect against resentments, this only prevents resentments for functions within the same contract, that is, within the Orderbook contract. The attacker took advantage of this resentment to call the Vault contract directly.
GMX, Perpetual Exchange.
In a nutshell, this re -entry attack would have allowed hacker to avoid the local calculations of the price of Bitcoin (BTC), Open positions a short future position and manipulate the short average price of BTC down«From an initial value of 109,505.77 dollars to 1,913.70. dollars
Subsequently, the attacker requested a flash loan in GMX from a token whose ticket is LPG at the right price of $ 1.45, and opened a long position equivalent to 15 million dollars.
Due to manipulation of the average sale price, sale losses were calculated at 15,385,676 * (1.913.70 – 108,757,787) / 1.913.70 = 859,000,107,173, where 108,757,787 represents the current price of the BTC oracle.
This caused the price of the LPG to inflate above $ 27, after which the attacker exchanged the LPG coined at that price.
GMX, cryptocurrency exchange.
In a Personalized message When dated July 10, GMX assured him that the reward for returning the funds remains active. It was today, day 11, that the hacker began to return part of the funds to the Exchange directive.
