Analysis of GMX Security Incident Vulnerabilities and Tracking of Stolen Funds

GMX was attacked, the attacker exploited a re-entrancy vulnerability in the project contract, making a profit of approximately 42 million dollars. The Beosin security team conducted a vulnerability analysis and fund tracking for this attack incident, and shared the results as follows:

Detailed Attack Steps

The attacker first exploited the margin refund mechanism in the executeDecreaseOrder function of the OrderBook contract to initiate a reentrancy attack to bypass the leverage switch of the project Timelock contract.

Then, the attack borrowed USDC through a flash loan to stake and mint GLP, while increasing the short position of BTC with USDC as collateral, resulting in an inflated AUM value of the GLPmanager contract, which affects the price of GLP.

Finally, the attacker redeemed GLP at an abnormal price for profit and specified the exchange for other tokens.

Vulnerability Analysis

Through the above attack process, we can see that there are two reasons for the vulnerability exploitation of the entire incident:

• Lack of reentrancy protection, leading to modifications of internal state during the redemption process.

• The redemption logic is quite complex and lacks sufficient security checks.

Although GMX has undergone multiple security audits, this reentrancy vulnerability was still overlooked. If the redemption logic had been subjected to stricter checks and the potential for reentrancy vulnerabilities had been considered, such security incidents could have been avoided.

Stolen Fund Tracking

Beosin Trace has tracked the stolen funds and found: The attacker's address 0x7d3bd50336f64b7a473c51f54e7f0bd6771cc355 profited approximately 42 million USD, and then the DeFi protocol exchanged stablecoins and altcoins for ETH and USDC, transferring the stolen assets to the Ethereum network through multiple cross-chain protocols. Currently, the stolen assets worth approximately 32 million in ETH are stored at the following 4 Ethereum network addresses:

• 0xe9ad5a0f2697a3cf75ffa7328bda93dbaef7f7e7

• 0x69c965e164fa60e37a851aa5cd82b13ae39c1d95

• 0xa33fcbe3b84fb8393690d1e994b6a6adc256d8a3

• 0x639cd2fc24ec06be64aaf94eb89392bea98a6605

Approximately $10 million worth of assets are stored at the address 0xdf3340a436c27655ba62f8281565c9925c3a5221 on the Arbitrum network. Beosin Trace has added the hacker-related address to the blacklist and will continue to monitor it.

According to Beosin Trace analysis, all stolen funds are still held in multiple addresses of the attacker.

Summary

The core of this attack lies in the reentrancy vulnerability present in the GMX contract, allowing attackers to redeem a large amount of assets for profit through falsely inflated AUM values. Complex DeFi protocols like GMX require comprehensive and multi-layered security audits to thoroughly test and review contract code. Previously, the Beosin security team has completed multiple security audits for various DeFi protocols (such as Surf Protocol, SyncSwap, LeverFi, Owlto Finance), focusing on identifying contract logic flaws and extreme scenarios that might be overlooked, ensuring that DeFi protocols undergo thorough testing.