GMX Hacker Strikes White-Hat Deal: $42M Heist Turns $3M Profit After $5M Bounty Offer

On July 9, decentralized exchange GMX became the latest DeFi protocol to suffer a major exploit, with over $42 million in digital assets reportedly siphoned from its vaults.

According to data from DeBank, the breach involved a suspicious outflow of funds to a single wallet address: 0xdf3340a436c27655ba62f8281565c9925c3a5221.

The stolen funds were then bridged from Arbitrum—a Layer 2 Ethereum scaling network—back to the Ethereum mainnet, a tactic often used by exploiters to hide or launder assets.

In a surprising turn, blockchain analytics platform Lookonchain reported that the attacker agreed to a white-hat deal, opting to return the funds in exchange for a $5 million bounty.

The #GMX hacker chose to return the stolen $42M assets for a $5M white-hat bug bounty.

Currently, $10.49M $FRAX has been returned.

Another $32M assets had been swapped into 11,700 $ETH, which is now worth $35M—netting a ~$3M gain.

🤔Will the hacker return all 11,700… pic.twitter.com/XjBlAK81Mf

— Lookonchain (@lookonchain) July 11, 2025

White-hat deals are occasionally used in DeFi when exploiters are willing to return funds in good faith, often after revealing critical vulnerabilities. This approach seeks to avoid prolonged investigations and reputational damage while recovering assets for affected users.

Partial Returns and a Profitable Arbitrage

According to Lookonchain’s analysis, the hacker has already returned $10.49 million worth of FRAX stablecoins. However, the remaining $32 million was not simply held—it was swapped into 11,700 ETH and is now worth $35 million, resulting in an unexpected $3 million profit due to ETH price appreciation.

The move is sparking debate over whether the attacker will return the full 11,700 ETH or simply send back $32 million and keep the additional gain. As of now, the hacker has yet to confirm their intentions publicly.

The incident is raising questions about how white-hat agreements are enforced and whether attackers can ethically retain profits earned post-exploit. While some see the return of most funds as a net positive, others argue that walking away with millions in profit—even with partial compliance—undermines the very spirit of the white-hat model.

DeFi Security and the Ethics of Exploitation

The incident highlights ongoing security challenges within decentralized finance, particularly in relation to large asset vaults and cross-chain functionality.

As of now, GMX has not confirmed whether a formal white-hat agreement was established prior to the partial return of funds.

The situation remains under observation, with the outcome likely to influence broader discussions around the role of white-hat arrangements and ethical boundaries in DeFi.

GMX Confirms $42M Exploit Rooted in Re-Entrancy Bug

In its lastest post GMX confirms that the $42 million exploit was caused by a re-entrancy vulnerability within its V1 contracts. Although the affected function was protected by a nonReentrant modifier, it only applied within the same contract, allowing the attacker to bypass this safeguard and manipulate the BTC average short price through the Vault contract.

https://t.co/1rfDbjDQ0r

— GMX 🫐 (@GMX_IO) July 10, 2025

By exploiting this loophole, the attacker artificially drove the GLP price up and profited by redeeming inflated GLP tokens after opening a large position using a flash loan.

The vulnerability was tied to how GMX V1 handled pricing calculations across separate contracts, a structure that has been revised in GMX V2, where calculations and executions now occur within the same contract to avoid such risks.

In response, GMX paused trading on Avalanche, engaged with security partners and major infrastructure providers, and initiated direct on-chain communication with the exploiter.

Minting and redemption of GLP on Arbitrum has been temporarily disabled pending the protocol’s transition plan and user reimbursement process.

GMX confirmed that GLP minting on Avalanche is also paused, though redemptions remain active. V1 positions will be wound down and migrated to a reimbursement pool for affected users, and all remaining V1 orders should be cancelled.

GMX has also issued a warning to all V1 forks, urging them to immediately implement fixes and security audits to avoid similar vulnerabilities.