On September 2, a founder of a decentralized exchange (DEX) competitor to GMX said that an exploit could be pulled off on GMX. Such a scenario would leave GLP holders short. Ironically, the exploit happened 16 days later.
GMX decentralized exchange has allegedly suffered a price manipulation exploit from a hacker who managed to make off with about $565,000 from the AVAX/USD market.
The unidentified exploiter is understood to have capitalized on GMX’s “minimal spread” and “zero price impact” features to pull off this exploit, which affected GLP token holders who offered liquidity in the form of AVAX (the Avalanche token) to GMX.
GMX confirmed the price manipulation exploits in a September 18 post on Twitter but said that the AVAX/USD market would remain open despite having imposed a $2 million cap on long positions and a $1 million cap on short positions.
We were notified of price manipulation of AVAX/USD on reference exchanges by monitoring systems and community members.
While we review the occurrence, open-interest for AVAX has been capped at $2m long / $1m short.
GLP and GMX trading markets continue to operate normally.
— GMX 🫐 (@GMX_IO) September 18, 2022
Head of Derivatives at Genesis Trading Joshua Lim was one of the first to analyze the exploit, saying that the exploiter:
“Successfully extracted profits from GMX’s AVAX/USD market by opening large positions at 0 slippage before transferring the AVAX/USD to centralized exchanges at a slightly higher price.”
Lim said that the exploit method was repeated up to five times, with the first cycle taking effect at 01:15 UTC on September 18. Every cycle transferred over 200,000 AVAX tokens, nearly $4-5 million per cycle with the exploiter withdrawing around $565,000 in profit after paying spread to market makers on other exchanges.
3/ let's take a look at the first cycle which took place from 01:15:31 to 01:28:11 UTC. X was able to extract roughly $158k in profit by trading clips of $4-5mm at a time pic.twitter.com/W6eu7Iz6lz
— Joshua Lim (@joshua_j_lim) September 18, 2022
Lim nonetheless noted that this was not an “exploit” in that it was “GMX working as designed.”
Technical analyst ‘Duo Nine’ added that the exploiter managed to take advantage of several huge trades against GLP holders since the fixed prices supplied by the Chainlink-run oracles come without any price impact, which is what made the price manipulation exploit possible.
“If traders make a profit, the liquidity providers lose. If traders exploit this vulnerability, the GLP holders may lose all their money!”
While GMX instantly capped short and long open interest for AVAX/USD to protect the DEX from more manipulation, Lim said that GMX may have to scrap its “zero price impact” feature despite it successfully onboarding most of the users to date.
Buy Bitcoin Now
“The real issue is GMX doesn’t reflect the true cost of liquidity like other venues do, it offers unlimited liquidity at a mid-market oracle price.”
The recent exploit comes just weeks after the founder of Layer-2 DEX ZigZag “Taureau” stated in a September 2 video call that he doubted GMX’s exchange model would be sustainable over the long term, adding that a trader with the ideal strategy could wipe out GLP token holders:
Has $GMX built a viable system for the long-run?
ZigZag Founder @taureau_21 has his doubts… and predicts eventually that a trader with the right strategy and proper size will wipe out $GLP
— Flywheelpod (@flywheelpod) September 2, 2022
Community Reaction ON The GMX Hack
The news of the exploit brought about mixed reactions from the GMX community. One Twitter user highlighted the fact that no smart contract was exploited, while another Twitter user asked GMX whether any form of compensation would be paid out to the affected GLP holders.
On GMX, liquidity providers supply ETH, BTC, AVAX, and stablecoins in exchange for the GLP token. The protocol was launched in late 2021 on Ethereum layer-2 scaling network Arbitrum.
The GMX token (GMX) is now priced at $39.07, down 16.7% in the past 24 hours, based on CoinGecko.