SlowMist Yu Xian: GMX v1 design flaws led to last night's theft. The attacker manipulated the global average price by re-entering to create large short positions.

On July 10th, SlowMist Yu Xian posted on social media: "The fundamental reason for the $42.00 million $GMX hack last night is that $GMX v1 immediately updates the global short average price (globalShortAveragePrices) when processing short positions. This global average price directly affects the calculation of the total assets under management (AUM), which in turn leads to the manipulation of the GLP token price. The attacker exploited this design flaw by enabling the timelock.enableLeverage feature (a prerequisite for creating large short orders) when the Keeper executes orders. Through re-entry, the attacker successfully created a large short position to manipulate the global average price, artificially increasing the GLP price in a single transaction and profiting through redemption. Doing DeFi is truly a high-risk business. $GMX is a very established decentralized perpetual trading platform, and this time it has fallen into a big pit. It's hard to say whether a 10% white hat bounty strategy will tempt the attacker..." [Deep Tide TechFlow]