On July 9, 2025, GMX, a leading decentralized perpetual futures exchange, was hit by a $42 million hack targeting its V1 GLP liquidity pool on Arbitrum. The attacker exploited a reentrancy vulnerability, minting unauthorized GLP tokens and draining assets like ETH, LINK, UNI, DAI, USDC, FRAX, and WBTC. The hacker then laundered a significant portion of the funds through CrowSwap, a decentralized exchange, raising concerns about its role in facilitating illicit transactions.
The Exploit and Role of Crowswap.exchange
The attacker used flash loans to manipulate GMX’s GLP pool, extracting $32 million from Arbitrum and bridging $9.6 million to Ethereum. On-chain data shows the hacker converted $9.75 million in USDC and $1.34 million in DAI into ETH via CrowSwap, leveraging the platform’s decentralized nature to obscure the funds’ trail. CrowSwap’s lack of centralized oversight has drawn scrutiny, as it enabled the rapid movement of stolen assets, highlighting vulnerabilities in decentralized exchanges for laundering.
GMX’s Response
GMX halted V1 trading and disabled GLP minting/redemption on Arbitrum and Avalanche to limit further losses. The team offered a 10% white-hat bounty ($4.2 million) if 90% of the funds are returned within 48 hours and promised a detailed post-mortem. The hack caused GMX’s token price to drop over 20% to $11.11.
Implications for DeFi
The GMX exploit underscores persistent DeFi security challenges, particularly around smart contract vulnerabilities and cross-chain risks. CrowSwap’s involvement amplifies concerns about decentralized exchanges’ susceptibility to misuse. As investigations continue, the DeFi community awaits updates on fund recovery and CrowSwap’s response to its role in the laundering process.
