GMX has released a $42 million Vulnerability Exploitation Event Summary Report: Further Discussion on Remediation Measures

BlockBeats News, July 11th: GMX officially released a summary report on the $42 million exploit of GMX V1 on Arbitrum.

Event Summary:

The attacker exploited a vulnerability by directly calling the Vault contract's increasePosition function, bypassing the PositionRouter and PositionManager contracts (usually responsible for calculating the average short price);

Through manipulation, the attacker manipulated the BTC average short price from $109,505.77 to $1,913.70;

Using a flash loan, the attacker purchased GLP at a normal price of $1.45, opening a $15 million position;

Due to the manipulated price, the GLP price was pushed above $27, allowing the attacker to profitably redeem GLP;

GMX has confirmed that V2 does not have a similar vulnerability.

Next Step Funding Situation:

Approximately $3.6 million remains in the GLP pool, reserved for unclosed positions;

This week's fee on V1 on Arbitrum is around $500,000 (excluding 30% allocated to GMX stakers) and will be transferred to the DAO treasury for compensation;

GLP minting and redemption on Arbitrum will be disabled (redemption disabling requires a 24-hour Timelock);

Minting on Avalanche will be disabled, but redemption will be retained;

Position closures for V1 on Arbitrum and Avalanche will be enabled, and opening positions will be disabled to prevent the exploit from reoccurring;

V1 orders on Arbitrum and Avalanche will be canceled. Remaining funds from GLP on Arbitrum will be allocated to a compensation pool for affected GLP holders.

After the above steps are completed, the GMX DAO will discuss further compensation measures. It is recommended that all GMX V1 forks take immediate action, refrain from transactions and minting of GLP-like tokens until fixes and audits are completed.