GMX was attacked by a Hacker, resulting in a loss of over 40 million USD

Recently, a well-known decentralized trading platform suffered a Hacker attack, resulting in losses of over 40 million dollars. The attacker cleverly exploited a reentrancy vulnerability and executed this attack through short selling while the platform's leverage feature was enabled.

The core issue of the attack lies in the incorrect use of the executeDecreaseOrder function. The first parameter of this function should have been an external account address, but the attacker passed in a smart contract address. This allowed the attacker to re-enter the system during the redemption process, manipulate the internal state, and ultimately redeem assets far exceeding the actual value of the GLP they held.

Under normal circumstances, GLP, as a liquidity provider token, represents the user's share of the treasury assets. When users redeem GLP, the system calculates the amount of assets to be returned based on the user's proportion of GLP held and the current total managed assets (AUM). The calculation of AUM involves multiple factors, including the total value of all token pools, global unrealized profit and loss, etc.

However, after enabling the leverage feature, a vulnerability appeared in the system. The attacker opened a large short position in WBTC before redeeming GLP. As soon as the short position was opened, the global short scale increased, and without any price changes, the system accounted for this unrealized loss as part of the "assets" in the treasury, leading to an artificial increase in AUM. Although the treasury did not actually gain additional value, the redemption calculation was based on this inflated AUM, allowing the attacker to obtain assets far exceeding what they were entitled to.

This attack exposed serious flaws in the platform's leverage mechanism and re-entrancy protection design. The core issue lies in the asset redemption logic's excessive trust in AUM, failing to conduct sufficiently prudent security checks on its components (such as unrealized losses). At the same time, the key function's assumption about the caller's identity also lacks mandatory verification.

This incident serves as a reminder to blockchain project developers that they must ensure the system state cannot be manipulated when it comes to sensitive financial operations. Particularly when introducing complex financial logic (such as leverage and derivatives), it is crucial to guard against systemic risks arising from reentrancy and state pollution. For users, it is also important to remain vigilant and recognize that even well-known projects may have security vulnerabilities, necessitating careful risk assessment when participating in DeFi activities.