Exploiter Returns $40 Million to GMX Days Post-Hack, Lifting Token Higher

GMX Hacker Returns $40M After Exploit, Token Rebounds Sharply

The hacker who drained over $40 million from GMX’s V1 contracts earlier this week has begun returning the stolen funds, sparking a strong rebound in GMX’s token price.

Earlier this week, attackers exploited a reentrancy vulnerability in GMX’s OrderBook contract on Arbitrum, allowing them to manipulate BTC short positions, inflate the GLP pool’s valuation, and extract significant profits in USDC, WBTC, WETH, and FRAX.

On Friday, blockchain watchers spotted an on-chain message from the hacker that read: “ok, funds will be returned later.” Soon after, over $10.5 million in FRAX was sent back to GMX’s deployer wallet, flagged by security firm PeckShield.

By Friday afternoon, more than $40 million worth of various tokens—including around 9,000 ETH and 10.5 million FRAX—had been transferred to the GMX Security Committee’s multisig address, according to data tracked by Lookonchain.

PeckShieldAlert (@PeckShieldAlert)
“#PeckShieldAlert #GMX Exploiter has returned a total of $37.5M worth of cryptos, including ~9K $ETH & 10.5M $FRAX to the #GMX Security Committee Multisig address.”
July 11, 2025

Following the return of funds, GMX’s token surged by 13% in the past 24 hours, trading around $13.15.

In response to the exploit, GMX temporarily halted V1 trading and minting operations on both Arbitrum and Avalanche. The protocol had offered the attacker a $5 million white-hat bounty—over 10% of the stolen amount—and pledged no legal action if the funds were fully returned within 48 hours, a deadline the hacker appears to have met.

Reentrancy exploits remain a serious risk for decentralized finance, enabling attackers to repeatedly call smart contract functions within the same transaction to drain assets.

GMX’s rapid recovery effort and partial fund return highlight both the vulnerabilities and resilience of the DeFi ecosystem.