defirisk.co
rubric v1.7.0

GMX V1: Cross-Contract Reentrancy via Order-Keeper Callback

A cross-contract reentrancy bug introduced by GMX's own 2022 security patch let an attacker manipulate GLP pricing from $1.45 to $27, threatening $42M — recovered via white-hat coordinated disclosure for a $5M bounty.

Occurred 2025-07-09 Loss Status closed

Summary #

GMX V1 suffered a Perpetuals DEX / Liquidity Pool (GLP) on 2025-07-09, resulting in a loss of approximately —.

What happened #

A cross-contract reentrancy bug introduced by GMX's own 2022 security patch let an attacker manipulate GLP pricing from $1.45 to $27, threatening $42M — recovered via white-hat coordinated disclosure for a $5M bounty.

Linked factors #

  • RD-F-001 — related : ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — keeper callbacks, globalShortAveragePrices logic, and AUM circular dependency were all post-audit additions or changes] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — keeper callbacks, globalShortAveragePrices logic, and AUM circular dependency were all post-audit additions or changes] || ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
  • RD-F-002 — illustrative : Audit recency (stale signal — text variants only; numeric thresholds need value-parser, deferred) [via dashboard_risk_factors/Time since last audit: ~3 years at exploit (extensive post-audit code changes)]
  • RD-F-004 — related : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited post-audit code; bug introduced by a security patch in 2022]
  • RD-F-006 — related : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: No new deployment — but code significantly changed since last audit] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: No new deployment — but code significantly changed since last audit] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || (+1 more matches)
  • RD-F-081 — related : Auto-linked by C.4 triage 2026-05-07
  • RD-F-084 — related : Auto-linked by C.4 triage 2026-05-07
  • RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Attacker wallet funded via Mayan Swift Bridge 48h prior; attack contract deployed day-of]
  • RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: Y — GLP price spiked from $1.45 to $27+ (18x); BTC globalShortAveragePrice collapsed 98% within transaction]
  • RD-F-126 — related : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes (GMX V1 widely forked across DeFi — all forks inherited same vulnerability)]
  • RD-F-139 — related : ★ Post-audit code changes deployed without re-audit [via cross-hack: Factor 21: Post-Audit Code Change Without Re-Audit]
  • RD-F-141 — illustrative : Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
  • RD-F-146 — illustrative : New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: No new deployment — but code significantly changed since last audit]