In one of 2025’s most audacious crypto exploits, hackers drained $42 million from GMX Arbitrum-based liquidity pool. The attack, which occurred in broad daylight, leveraged flash loans to manipulate mint-and-redeem mechanisms inside GMX’s GLP pool, allowing attackers to extract millions in real assets, including ETH, LINK, UNI, DAI, and USDC.
GMX missed the specific logic vulnerability that enabled this surgical financial strike, even though audits by Quantstamp and ABDK backed it, and it offered a \$5 million bug bounty. After the exploit, GMX paused trading on V1 for both Arbitrum and Avalanche, and the token’s value plunged by over 15% immediately.
The attackers exploited flash loans to generate fake leverage situations within the GLP structure, resulting in inflated positions without sufficient collateral. The attacker swiftly exchanged the stolen assets for more valuable ones, funneling $9.6 million into Ethereum via Circle’s CCTP and distributing the remaining $32 million across the Arbitrum network.
Investigators believe the exploit needed a thorough understanding of DeFi architecture and on-chain economic manipulation, pointing to an experienced, possibly state-level operator. In a brave move, GMX issued an on-chain message offering a 10% white-hat prize if the attacker returned the funds within 48 hours.
As the crisis evolved, blockchain security organizations and on-chain specialists analyzed the addresses involved in the leak. The cash was quickly shifted via mixers, obscuring the trail almost immediately.
Although $42 million is no small sum, the GMX exploit is only the latest in a growing list of massive DeFi failures this year.
Here’s how it stacks up:
| Protocol | Amount Stolen | Method Used | Suspected Actors |
|---|---|---|---|
| GMX (Arbitrum) | $42M | GLP leverages logic manipulation | Unknown |
| Bybit (Feb 2025) | $1.5B | Cold wallet mis-signed transfers | Lazarus Group (NK) |
| WazirX (Jul 2024) | $234M | Multisig wallet compromise | Lazarus Group suspected |
| DMM Bitcoin | $304M | Key spoofing & address hijacking | Unknown |
| Radiant Capital | $58M | Malware-injected dev environment | Unknown |
Although the biggest cryptocurrency theft to date was Bybit’s $1.5 billion hoard, the GMX case is extremely worrisome, since the hackers were able to break the economic logic of an audited protocol rather than a flaw in a smart contract or a loss of a private key.
The GMX exploit shows that even well-audited platforms with bug bounties aren’t safe from advanced manipulation of economic mechanisms.
Moreover, the speed and precision of the attack mirror tactics used in state-sponsored cybercrime, making regulatory scrutiny and investor anxiety spike.
With over $2.3 billion lost in hacks so far in 2025, this event further shatters the illusion of security in decentralized systems. And De-Fi is partially to blame. As it turns out, no protocol is truly “battle-tested.” However, logic-layer exploits are the newest type of crypto attacks, and we have to give crypto companies some benefit of the doubt. In any case, requiring formal proof, real-time anomaly detection, and smarter economic designs can save crypto for the long run.