Decentralized exchange GMX suffered a $42 million exploit on July 9, 2025, targeting its Arbitrum-based v1 perpetual trading platform. Blockchain security firms Cyvers and PeckShield confirmed the attack originated from a malicious smart contract funded through Tornado Cash, with the hacker minting GLP tokens to redeem high-value assets including ETH, USDC, wBTC ($9.6M), DAI ($5M), FRAX ($10M+), and others.
GMX responded by sending an on-chain message offering a 10% white-hat bounty ($4.2M) for the return of remaining funds within 48 hours, pledging no legal action. Approximately $9.6 million was bridged to Ethereum, while $32 million remains on Arbitrum. Following the breach, GMX's native token plummeted 17% to $11.70—a two-month low.
Circle, issuer of USDC, faced criticism for delayed response after the exploiter held $30M in USDC during the attack and converted $4.3M to DAI post-hack. The incident adds to $2.5 billion in crypto losses from hacks and scams in H1 2025, per CertiK. Launched in 2021, GMX has processed $305B+ in lifetime volume across Arbitrum, Avalanche, and Solana.