📢 Gate Square #MBG Posting Challenge# is Live— Post for MBG Rewards!
Want a share of 1,000 MBG? Get involved now—show your insights and real participation to become an MBG promoter!
💰 20 top posts will each win 50 MBG!
How to Participate:
1️⃣ Research the MBG project
Share your in-depth views on MBG’s fundamentals, community governance, development goals, and tokenomics, etc.
2️⃣ Join and share your real experience
Take part in MBG activities (CandyDrop, Launchpool, or spot trading), and post your screenshots, earnings, or step-by-step tutorials. Content can include profits, beginner-friendl
BlockSec: Analysis of GMX Attack Principles
Written by: BlockSec
GMX was attacked by hackers, resulting in losses exceeding 40 million dollars. The attackers exploited a reentrancy vulnerability and opened short positions while the contract had leverage functionality enabled to carry out the attack.
The root of the problem lies in the incorrect use of the executeDecreaseOrder function. The first parameter of this function should have been an externally owned account (EOA), but the attacker passed in a smart contract address. This allowed the attacker to re-enter the system during the redemption process, manipulating the internal state, and ultimately redeem assets far exceeding the actual value of GLP held.
GLP Normal Redemption Mechanism
In GMX, GLP is the liquidity provider token that represents a share of the treasury assets (such as USDC, ETH, WBTC). When users call unstakeAndRedeemGlp, the system uses the following formula to calculate the amount of assets to be returned:
redeem_amount = (user_GLP / total_GLP_supply) * AUM
The calculation method for AUM (Assets Under Management) is as follows:
AUM = Total value of all token pools + Global unrealized losses from short positions - Global unrealized profits from short positions - Reserved amount - Preset deductions (aumDeduction)
This mechanism ensures that GLP holders receive a proportional share of the actual assets in the treasury.
Questions after leverage is activated
When enableLeverage is turned on, users can open leveraged positions (long or short). Before redeeming GLP, the attacker opened a large short position in WBTC.
Since the opening of a short position increases the global short scale, and the price has not yet changed, the system defaults that this short position is at a loss. This part of the unrealized loss will be counted as "assets" of the treasury, leading to an artificial increase in AUM. Although the treasury has not actually gained additional value, the redemption calculation will be based on this inflated AUM, allowing the attacker to obtain assets far beyond what they deserve.
Attack Process
Attack Trade
Written at the end
This attack exposed serious flaws in GMX's leverage mechanism and reentrancy protection design. The core issue lies in the overly high trust in the asset redemption logic concerning AUM, without sufficiently prudent security checks on its components (such as unrealized losses). At the same time, the assumption about the caller's identity (EOA vs contract) in key functions also lacks mandatory verification. This incident serves as a reminder to developers that when dealing with sensitive financial operations, they must ensure that the system state cannot be manipulated, especially when introducing complex financial logic (such as leverage and derivatives), to rigorously guard against systemic risks arising from reentrancy and state contamination.