The attacker managed to take advantage of GMX’s minimum spread and zero price impact features to execute the exploit. It affected the GLP token holders who had contributed liquidity to the exchange in the form of AVAX tokens.
GMX confirmed the exploit on Twitter stating that the AVAX/USD trade would continue to be operational but with a cap of $2M and $1M for long and short positions respectively.
Joshua Lim, the head of derivatives at Genesis Trading, analyzed the price manipulation over a Twitter thread, which stated that the trader “successfully extracted profits from GMX’s AVAX/USD market by opening large positions at 0 slippage, then moving AVAX/USD on other venues in their favor.”
The trade was repeated 5 times, each with over 200,000 AVAX worth $4-$5 million. After paying for spreads to other market-makers, the trader settled with over $550,000 in profit.
According to Lim, something similar can’t happen on other exchanges such as FTX because “you can’t trade at an oracle price on FTX, you pay some slippage as you execute up the orderbook. You’d move price from $17.95 to $20.25 to buy 200k units of AVAX-PERP.”
GMX’s “zero price impact” doesn’t display the real cost of liquidity like other platforms, allowing for price manipulation. The DEX might have to disincentivize the feature despite it being a selling point to avoid such attacks.
The community reacted mostly negatively to the news. A Twitter user pointed out the flaw was earlier predicted, but GMX didn’t take any action. Some GLP token holders wanted to know if there’s any compensation plan.
GMX was launched towards the end of 2021 on Arbitrum, an Ethereum scaling solution. Users can supply AVAX, ETH, and BTC to provide liquidity in exchange for GLP tokens on the platform.