GMX V1's `Vault.sol` tracked `globalShortAveragePrice` and AUM via `getAum()`/`getAumE30()`, which fed both GLP minting/redemption and short-PnL settlement. When a short position was closed, the realized PnL was computed against `globalShortAveragePrice` and the GLP price was re-derived in the same call path — but the AUM calculation read the current `globalShortAveragePrice` *before* the close had updated it, allowing a freshly-opened large short to be immediately closed in a way that recursively shifted GLP pricing in the attacker's favor across multiple positions in one block. The exploit chained large WBTC/WETH/UNI shorts opened at the manipulated mark, then closed against the still-stale `globalShortAveragePrice`, with AUM mispricing letting the attacker realize PnL the pool had no liquidity to back. The known-issue lineage — GMX V1's AvgPrice manipulation surface was publicly discussed since 2022 — meant the bug was a chosen-risk on a frozen contract; the 2025-07-09 incident exploited the same long-standing surface after a market condition aligned.
Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.
Classification: Protocol Logic. Technique: Re-entrancy Exploit. Target type: DeFi Protocol. Affected chains: Arbitrum. Implementation language: Solidity. Funds returned: $40,000,000.
- chain
- arbitrum
- protocol
- GMX V1 Perps
- bug_class
- logic
- date_occurred
- 2025-07-09
- loss_usd
- $42,000,000
- classification
- Protocol Logic
- technique
- Re-entrancy Exploit
- target_type
- DeFi Protocol
- language
- Solidity
- source_id
- dl:337