Our initial analysis of today’s GLP exploit, conducted in collaboration with our security partners and lead auditor, still confirms that the attack vector is specific to GMX V1. The manipulation involved relates to the calculation of the short average price on V1, and the same calculation mechanism is not employed in the GMX V2 contracts.

Out of an abundance of caution, GMX had already updated the caps for the GM tokens of GMX V2 on Arbitrum and Avalanche, so that minting new tokens is currently restricted in most liquidity pools. A follow-up notification will be sent out once this restriction is lifted.

GMX will provide a detailed post-mortem analysis publicly, as soon as the investigation into the incident is complete.

The GLP pool of GMX V1 on Arbitrum has experienced an exploit. Approximately $40M in tokens has been transferred from the GLP pool to an unknown wallet.

Security has always been a core priority for GMX, with the GMX smart contracts undergoing numerous audits from top security specialists. So, in this hands-on-deck moment, all core contributors are investigating how the manipulation occurred, and what vulnerability may have enabled it.

Our security partners are also deeply involved, to ensure we gain a thorough understanding of the events that occurred and minimise any associated risks as quickly as possible. Our primary focus is on recovery and pinpointing the root cause of the issue.

Actions taken:

Trading on GMX V1, and the minting and redeeming of GLP, have been disabled on both Arbitrum and Avalanche to prevent any further attack vectors and protect users from additional negative impacts.

Scope of the vulnerability:

Please note that the exploit does not affect GMX V2, its markets, or liquidity pools, nor the GMX token itself.

Based on the available information, the vulnerability is limited to GMX V1 and its GLP pool.

As soon as we have more complete and validated information, a detailed incident report will follow.