In brief
- After losing $40 million in crypto on Wednesday, GMX saw stolen funds returned.
- The attacker, who appeared to accept a bounty offer, meanwhile sent $5 million worth of Ethereum to the coin mixer Tornado Cash.
- GMX determined that it was hit with a re-entrancy attack.
Some say crime doesn’t pay—but blockchain data suggests that an attacker who exploited a flaw in a GMX’s codebase earlier this week is walking away with a $5 million bounty.
“Ok, funds will be returned later,” the individual said in an on-chain message on Friday, days after they absconded with over $40 million worth of crypto from the decentralized exchange.
GMX, which specializes in perpetual futures trading on Avalanche and the Ethereum layer-2 scaling network Arbitrum, was later sent $10 million worth of stablecoin Frax, which swiftly disappeared from the GMX’s GLP pool on Wednesday, blockchain data show.
In total, it appeared the exploiter had returned $40.5 million worth of cryptocurrency, including 10,000 Ethereum, with funds being held in a digital wallet operated by GMX’s security committee, blockchain security and analytics firm PeckShield said on X.
Although the attacker initially stole $40 million worth of crypto from GMX, that sum inflated as Bitcoin hit a new all-time high and Ethereum cracked $3,000 for the first time in five months.
In an on-chain message, GMX had offered the attack “a 10% white-hat bounty” on Wednesday, promising not to pursue further legal action if the bulk of stolen funds were returned.
GMX’s token was recently changing hands around $12.24, a 16% jump over the past day, according to crypto data provider CoinGecko. It had still fallen 6% on the week, however.
Most attackers will consider how easy it is to cover their tracks, or how motivated the affected party is to recover funds, before returning stolen crypto, Marcin Kaźmierczak, co-founder of COO of modular blockchain oracle Redstone, told Decrypt.
“Forensics tools have been becoming more and more sophisticated,” he noted. “We’ve seen more and more cases of just accepting the bounty and returning the vast majority of the funds.”
In a post-mortem published on Thursday, GMX said on X that the attacker used a re-rentrancy attack to manipulate the exchange’s GLP pool on Arbitrum, where funds are pooled together from the sale of GLP tokens, which reward holders with fees from GMX users’ activity.
The attacker was able to withdraw millions of dollars from GMX’s GLP pool by redeeming GLP tokens for digital assets like Bitcoin and Ethereum at an inflated price. The price of GLP tokens became inflated as the attacker messed with the logic for calculating short positions for Bitcoin on GMX, the decentralized exchange said.
“This wasn’t a smash-and-grab,” Suhail Kakar, who leads developer relations for crypto network TAX, said on X on Wednesday. “It was a long-planned, precision hit.”
In 2016, the DAO hack on Ethereum resulted in $55 million in losses, making it one of the most prominent examples. Since then, security experts say that re-entrancy attacks have become an all-too-common flaw affecting myriad projects over the years, despite education and solutions.
On Friday morning, funds kept by the attacker bounced from wallet to wallet until they reached Tornado Cash, the Ethereum coin mixer, blockchain data shows. In total, 1,700 Ethereum was sent to the tool U.S. authorities have flagged as a way for criminals to mask the flow of funds.