GMX releases a summary report on the $40 million vulnerability attack: GMX DAO will discuss further compensation measures

ChainCatcher message, according to a report released by GMX officials, a summary report on the approximately $40 million vulnerability attack incident on GMX V1 on Arbitrum. The attacker directly called the increasePosition function of the Vault contract through reentrancy, bypassing the PositionRouter and PositionManager contracts (which are usually responsible for calculating the average short price). By manipulating, the attacker reduced the average short price of BTC from $109,505.77 to $1,913.70. Using a flash loan, the attacker purchased GLP at a normal price of $1.45, opening a position of $15 million. Due to the manipulated price, the GLP price was pushed up to over $27, allowing the attacker to redeem GLP at a high price for profit. GMX has confirmed that V2 has no similar vulnerabilities.

Next steps regarding funding: Approximately $3.6 million remains in the GLP pool, reserved for open positions. The fees for V1 GLP on Arbitrum this week are about $500,000 (after deducting the 30% allocated to GMX stakers), which will be transferred to the DAO treasury for compensation. The minting and redemption of GLP on Arbitrum will be disabled (redemption disable requires a 24-hour Timelock). Minting of GLP on Avalanche will be disabled, but the redemption function will be retained. Closing of V1 positions on Arbitrum and Avalanche will be enabled, while opening new positions will be disabled to prevent the reoccurrence of vulnerabilities. Orders on V1 for Arbitrum and Avalanche will be canceled. Remaining funds in GLP on Arbitrum will be allocated to a compensation pool for affected GLP holders.

After the above steps are completed, GMX DAO will discuss further compensation measures. It is recommended that all GMX V1 forks take immediate action, and trading and minting of similar tokens to GLP should only be re-enabled after repairs and audits.