GMX, a decentralized exchange, fell victim to a recent exploit. According to reports, a price manipulation attack on the decentralized exchange (DEX) GMX allowed an exploiter to steal $565,000 from the Avalanche (AVAX)/USD market.
The attack, which affected GLP token holders who contributed liquidity to GMX in the form of AVAX (the Avalanche token), is believed to have been carried out by an anonymous exploiter who profited from GMX’s “minimum spread” and “zero price effect” characteristics.
GMX confirmed the exploit on Sunday
In a Sunday post on Twitter, the DEX acknowledged the price manipulation exploit but said that despite setting a $2 million cap on long holdings and a $1 million cap on short positions, the AVAX/USD market will continue to be active.
Joshua Lim, the head of derivatives at Genesis Trading, was one of the first to examine the exploit. He claimed that the perpetrator “successfully extracted profits from the DEX’s AVAX/USD market by starting large positions at 0 slippages” before transporting the AVAX/USD to centralized exchanges at a marginally higher price.
The first cycle of this exploit method, according to Lim, began at 1:15 AM UTC on Sunday and was repeated five times. Approximately $4 to $5 million worth of AVAX were moved during each cycle, and the exploiter profited by about $565,000 after paying spreads to market participants on other exchanges.
While GMX quickly limited short and long open interest for AVAX/USD to safeguard the DEX from further manipulation, Lim stated that GMX may have to do away with its “zero price effect” feature despite having signed up a lot of users thus far.
A trader with the correct approach might wipe out GLP token holders, according to Taureau, the founder of layer-2 DEX ZigZag, who expressed worry about the long-term viability of GMX’s exchange platform in a video chat on September 2.
In other events, a hacker was able to steal 200 WETH from the Ethereum PoW chain thanks to a replay attack on Omni bridge. Security company BlockSec discovered a replay attack on the Ethereum PoW chain on September 18.
Through the Omni bridge, the attacker sent 200 WETH from the Ethereum PoS chain. According to reports, the transaction was duplicated on the Ethereum PoW chain.