BlockSec: Analysis of GMX Attack Principles

Written by: BlockSec

GMX was attacked by hackers, resulting in losses exceeding 40 million dollars. The attackers exploited a reentrancy vulnerability and opened short positions while the contract had leverage functionality enabled to carry out the attack.

The root of the problem lies in the incorrect use of the executeDecreaseOrder function. The first parameter of this function should have been an externally owned account (EOA), but the attacker passed in a smart contract address. This allowed the attacker to re-enter the system during the redemption process, manipulating the internal state, and ultimately redeem assets far exceeding the actual value of GLP held.

GLP Normal Redemption Mechanism

In GMX, GLP is the liquidity provider token that represents a share of the treasury assets (such as USDC, ETH, WBTC). When users call unstakeAndRedeemGlp, the system uses the following formula to calculate the amount of assets to be returned:

redeem_amount = (user_GLP / total_GLP_supply) * AUM

The calculation method for AUM (Assets Under Management) is as follows:

AUM = Total value of all token pools + Global unrealized losses from short positions - Global unrealized profits from short positions - Reserved amount - Preset deductions (aumDeduction)

This mechanism ensures that GLP holders receive a proportional share of the actual assets in the treasury.

Questions after leverage is activated

When enableLeverage is turned on, users can open leveraged positions (long or short). Before redeeming GLP, the attacker opened a large short position in WBTC.

Since the opening of a short position increases the global short scale, and the price has not yet changed, the system defaults that this short position is at a loss. This part of the unrealized loss will be counted as "assets" of the treasury, leading to an artificial increase in AUM. Although the treasury has not actually gained additional value, the redemption calculation will be based on this inflated AUM, allowing the attacker to obtain assets far beyond what they deserve.

Attack Process

Attack Trade

Written at the end

This attack exposed serious flaws in GMX's leverage mechanism and reentrancy protection design. The core issue lies in the overly high trust in the asset redemption logic concerning AUM, without sufficiently prudent security checks on its components (such as unrealized losses). At the same time, the assumption about the caller's identity (EOA vs contract) in key functions also lacks mandatory verification. This incident serves as a reminder to developers that when dealing with sensitive financial operations, they must ensure that the system state cannot be manipulated, especially when introducing complex financial logic (such as leverage and derivatives), to rigorously guard against systemic risks arising from reentrancy and state contamination.