GMX Hacker Returns Stolen $40 Million, Accepts $5M Bounty

Less than 48 hours after siphoning about $42 million in cryptocurrencies from the decentralized trading platform GMX, the hacker responsible for the attack has begun to return the stolen loot.

According to an update from the on-chain sleuth PeckShield, the GMX exploiter has returned at least $40.5 million in crypto assets, including ether (ETH) and Legacy Frax Dollar (FRAX).

Root Cause of the Exploit

Recall that the hacker exploited GMX’s smart contracts to steal the funds on July 9. A postmortem report from the firm confirmed that it was a re-entrancy attack. The exploiter took advantage of a smart contract function that could not prevent re-entrancy issues within the same smart contract.

This design flaw on GMX V1 enabled the criminal to place multiple calls within one function and caused the contract to calculate the wrong balance. They were able to artificially inflate the price of GLP, which is the liquidity provider token for GMX.

After the breach, they stole several assets, including Wrapped bitcoin (WBTC), FRAX, and DAI. They eventually bridged the funds from Arbitrum to Ethereum and converted all, except FRAX, to 11,700 ETH.

While the hacker made these moves, GMX dropped an on-chain message, offering a 10% white hat bounty in exchange for the stolen funds. The proposal would last for 48 hours, with a promise of no legal consequences.

Hacker Returns Stolen Funds

Earlier today, the hacker responded to GMX’s 10% bounty offering, with a message that read: “Ok, funds will be returned later.” They first returned $10.49 million FRAX to the GMX Security Committee Multisig address. The remaining $32 million, which were swapped for ETH earlier, have also been returned in batches.

Notably, the $32 million ETH was worth $35 million today following the spike in ether’s price. The hacker took the $3 million profit and returned the original amount. Therefore, they took a bounty of roughly $4.5 million and returned a total of $40.5 million.

Meanwhile, GMX has confirmed that the incident did not affect its V2 protocol, as the chain does not have the vulnerability that enabled the attack on V1. The team has lifted the minting caps it placed on liquidity tokens for GMX V2 on Arbitrum and Avalanche.

GMX, the native token of the GMX platform, has also recovered from a sudden dip caused by the incident. Data from CoinMarketCap shows the asset is up over 13% today.