On July 9, the decentralized trading platform GMX suffered a major exploit, leading to the loss of $42 million in assorted cryptocurrencies.

Now, on-chain data shows that the hacker has changed most of the stolen funds into 11,700 ETH.

The GMX Hack

The Wednesday incident saw the attacker stealing over $10 million worth of legacy Frax Dollar (FRAX), $9.6 million in wrapped Bitcoin (wBTC), and about $5 million in DAI stablecoin.

Following the breach, $9.6 million of the funds were bridged to the Ethereum blockchain and exchanged into DAI and ETH, with a further $32 million remaining on Arbitrum.

GMX confirmed the theft in a post on X:

“The GLP pool of GMX V1 on Arbitrum has experienced an exploit. Approximately $40M in tokens has been transferred from the GLP pool to an unknown wallet.”

However, according to blockchain analytics platform Lookonchain, the bad actor has now exchanged all the stolen assets, except FRAX, into 11,700 ETH, which they then sent to four new wallets.

The protocol had earlier clarified that GMX V2, its markets, liquidity pools, and the GMX token were not affected. It also announced a temporary pause on GLP token minting and redemption on both Arbitrum and Avalanche to prevent further impact and secure funds. Its users were later told to disable leverage and update their settings to block further GLP minting.

Additionally, GMX sent an on-chain message to the hacker, offering a white-hat bounty worth $4.2 million. The proposal also promised there would be no legal consequences if the culprit returned the remaining 90% within 48 hours. So far, they have not responded.

A Re-Entrancy Exploit

A full postmortem report has not yet been released. However, blockchain security firm SlowMist has attributed the breach to a design flaw in GMX V1. The vulnerability enabled the exploiter to manipulate the GLP token price by interfering with the systems calculation of total assets under management.

SlowMist explained that they used a function that enables leverage during order execution and performed a re-entrancy attack. These allow repeated calls within one function, causing a smart contract to calculate the wrong balance.

By opening large short positions in a single transaction, the criminal was able to manipulate the global price data. This action artificially inflated the GLP token price and profit through redemption.

Hacks and cybersecurity attacks remain a major challenge in the crypto industry. A recent CertiK report revealed that over $801.3 million was lost across 144 incidents in Q2 2025. Phishing was the most damaging, with $395 million stolen in 52 exploits. Code vulnerabilities followed closely, causing $235.8 million in losses across 47 cases.