Key Takeaways
- On July 8, ETH worth around $216,000 was drained from Peapods Finance.
- On July 9, hackers stole $42 million from the GMX decentralized exchange.
- The GMX hack exploited a reentrancy vulnerability in the GLP pool of GMX V1.
In the past week, the Arbitrum-based decentralized exchange, GMX, was exploited to the tune of $42 million. But after the platform offered a white hat bounty for their return, the hacker gave back some of the assets.
In another attack, hackers siphoned $200,000 worth of ETH from Peapods Finance.
Recommended Secure Partners
GMX Hacked for $42 Million
On Wednesday, July 9, cryptocurrency worth more than $42 million was drained from the GLP pool of GMX V1. The stolen assets included WBTC, WETH, UNI, FRAX, LINK, USDC, and USDT.
Trading on GMX V1 was temporarily suspended, as was the minting and redemption of GLP on both Arbitrum and Avalanche.
GMX V2 remains unaffected.
The exploit used what is known as a reentrancy attack, which exploits a vulnerability in smart contracts that can place external calls to other contracts before updating their own state.
This allows a malicious contract to reenter the original function and repeat withdrawals.
Hacker Returns Funds
In an on-chain message following the breach, GMX developers offered a 10% white-hat bounty and promised not to pursue legal action if the funds were returned within 48 hours.
“Ok, funds will be returned later,” the attacker responded on Friday morning.
In the following hours, a string of transactions returned millions of dollars worth of stablecoins and ETH to GMX.
As for the 10% bounty, the hacker ultimately returned more than 90% of the initial value of the stolen funds.
Due to the price of ETH jumping nearly 15% in 48 hours, the GMX exploiters tactic of swapping the stolen assets for ETH netted them a tidy profit. Despite returning most of the value of what they stole, they still hold 1,700 ETH worth nearly $5.1 million.
Peapods Finance
On July 8, several blockchain security firms raised the alarm about suspicious withdrawals from Peapods Finance, a DeFi yield protocol that leverages volatility across a broad range of crypto assets to generate returns.
Roughly 78 ETH worth over $216,000 was pulled from the platform by manipulating the oracle price of one of its trading pairs.
“The issue seems to be an underlying bad oracle for that specific pod, which is a user configuration issue,” Peapods said on its official Telegram channel.
“The team is currently working with auditors and discussing the matter internally. More information will be shared once the team has concluded their investigation. We ask for your patience in the meantime!” the post added.
Recommended Secure Partners
James Morales is CCN’s blockchain and crypto policy reporter. He has been working in the news media since 2020, writing about topics such as payments, banking and financial technology. These days, he likes to explore the latest blockchain innovations and the evolving landscape of global crypto regulation.
With an educational background in social anthropology and media studies, James uses his platform as a journalist to explore how new technologies work, why they matter and how they might shape our future.
