- At the time of writing, the total amount returned to GMX was approximately $20 million.
- GMX acknowledged the technical sophistication of the exploit and offered a $5 million bounty for the return of the funds.
- Reports indicate the attacker manipulated the price of GLP tokens, draining a variety of crypto assets from the platform.
The attacker who exploited a vulnerability in the GMX v1 decentralized exchange and stole roughly $40 million in cryptocurrencies has begun returning the stolen assets after accepting a bounty offered by the GMX team.
Blockchain security firm PeckShield reported that the hacker posted an on-chain message acknowledging the bounty and expressing willingness to cooperate.
“Ok, the funds will be returned later,” the exploiter wrote in a blockchain transaction, referring to the terms outlined by GMX for partial restoration of the stolen assets.
The hacker begins transferring funds back
Less than an hour after the message was posted, the attacker started transferring funds to the address specified by GMX.
PeckShield said approximately $9 million in Ether (ETH) was sent to the team.
The Ethereum address used in the transaction has been labeled “GMX Exploiter 2” on blockchain tracking platforms.
PeckShield also noted two separate stablecoin transfers involving FRAX: the attacker returned $5.5 million in one transaction and an additional $5 million in another.
At the time of writing, the total amount returned to GMX stood at about $20 million, roughly half of the assets taken.
The original exploit, which occurred on Wednesday, targeted a liquidity pool on GMX v1, a perpetual trading protocol deployed on the Arbitrum Layer 2 network.
According to reports, the attacker manipulated GLP token pricing, draining a range of crypto assets from the platform by exploiting a design flaw in the protocol.
GMX offered a $5 million “white hat” bounty
In response to the breach, GMX acknowledged the technical sophistication of the exploit and announced a $5 million bounty for the return of the funds.
In a post on X (formerly Twitter), the GMX team addressed the hacker directly, offering the bounty under a “white hat” designation that would allow the attacker to spend remaining funds legally if the majority of assets were returned.
“You executed the exploit successfully; your skills to do so are obvious to anyone who inspects the exploit transactions,” GMX wrote. “The $5 million bounty remains available.”
The team emphasized the bounty was intended to remove legal and practical risks associated with using stolen cryptocurrency.
GMX also offered to provide proof of the funds’ origin if needed, enabling the exploiter to pass compliance checks or audits.
Beyond the public bounty, the GMX team issued an on-chain ultimatum, stating legal action would be pursued within 48 hours if the funds were not returned.