Decentralized perpetuals exchange GMX said its V1 protocol on the Arbitrum network was exploited on 9 July, allowing an attacker to siphon roughly $40 million to $42 million in digital assets including Bitcoin, Ether and USDC. Blockchain security firms PeckShield, CertiK and Cyvers traced the breach to a smart-contract vulnerability that let the attacker manipulate the platform’s GLP liquidity pool and mint additional tokens before redeeming them for higher-value assets. On-chain data show about $9.6 million of the stolen funds has already been bridged to Ethereum, while close to $10 million has been funneled through the sanctioned mixing service Tornado Cash. PeckShield’s preliminary analysis attributes the incident to the way GMX V1 calculates assets under management and short positions, warning that forks of the protocol could face similar risk. SlowMist separately described the weakness as a design flaw in the short-position mechanism. GMX has halted trading, as well as the minting and redemption of GLP tokens, on V1 deployments running on both Arbitrum and Avalanche. The newer V2 contracts and the GMX token itself remain operational. In an on-chain message, the project offered the attacker a 10% “white-hat” bounty—about $4 million—and immunity from legal action if the remaining funds are returned within 48 hours. Market reaction was swift: the GMX governance token dropped roughly 20% to around $11, according to CoinGecko data. The team said it is working with external auditors and security partners to complete a full post-mortem and reinforce safeguards before restoring normal operations.