Decentralized Finance (DeFi) platform GMX has been hacked for $42 million, with considerations rising that the broadly forked codebase could result in repeat assaults.
Stablecoin issuer Circle got here below fireplace for what was seen as a sluggish response to the incident, after it missed its probability to freeze a good portion of the stolen funds.
Within the hour following the assault, the hacker bridged thousands and thousands of USDC from the Arbitrum community to Ethereum earlier than swapping the USDC for DAI, which can’t be frozen.
The assault seems to be associated to a bug within the GMX v1 code; safety auditors BlockSec suspect {that a} reentrancy vulnerability is concerned.
Along with the $42 million stolen, the GMX token worth is down roughly 25% for the reason that hack, in line with knowledge from CoinMarketCap.
The GMX staff acknowledged the hack through X, assuring that “the exploit does not affect GMX V2, its markets, or liquidity pools, nor the GMX token itself.” A developer has reached out to the attacker through an on-chain message, providing a ten% bounty for the return of funds.
Working circles round Circle
Varied observers on X have identified the shortage of motion from USDC issuer Circle, which might have blacklisted the hacker’s deal with and frozen over $9 million of stolen funds.
The exploiter even used Circle’s personal bridging device to maneuver 8 million USDC between the Arbitrum and Ethereum blockchains as a way to swap it for the unfreezable DAI.
Blockchain investigator ZachXBT, a frequent critic of Circle for its lack of motion within the moments after hacks, chimed in, “Circle just does not care about the ecosystem.”
He claims to have alerted “multiple team members within minutes” after the hack, however to no avail. He additionally addressed Circle’s CEO, Jeremy Allaire, immediately.
Others contrasted the speedy freeze of 1.3 million USDT0 (Tether and Everdawn Lab’s cross-chain model of USDT), which was briefly held by the exploiter, although the transaction got here simply 23 seconds too late.
Are GMX forks going to be hacked too?
GMX was one of many darlings of DeFi’s final cycle as one of many first platforms to supply buying and selling of crypto perpetuals immediately on-chain.
Launched in September 2021, GMX accrued over $350 million of whole worth locked (TVL) within the DeFi mania main as much as the collapse of UST/LUNA.
The platform’s TVL peaked in Could 2023 at round $700 million, in line with knowledge from DeFiLlama.
Its recognition provoked an explosion of quick “forks,” new tasks reusing an present codebase as a way to capitalize on the success of a brand new sort of platform. Blockchain safety agency Peckshield fears that the vulnerability exploited in GMX v1 might also be current in these forked tasks.
It’s best to withdraw all funds from any gmx v1 forks asap, there are masses it was essentially the most copied dex a couple of years again
— jmo (@cuntycakes123) July 9, 2025
A complete of $28 million might doubtlessly be in danger throughout all v1 forks. DeFiLlama tallies 64 such tasks, although solely 13 maintain greater than $100,000.
GMX took to X to situation a warning to forks and offered potential mitigation measures, together with disabling leverage and minting of GLP tokens.
