Decentralized exchange GMX suffers $565K price manipulation ‘exploit’
A founder of a DEX competitor to GMX said on Sept. 2 that an exploit could be pulled off on GMX which could leave GLP holders short. 16 days later, it happened.
The unidentified exploiter is understood to have capitalized on GMX’s “minimal spread” and “zero price impact” features to pull off the exploit, which impacted GLP tokenholders who provided liquidity in the form of AVAX (the Avalanche token) to GMX.
GMX confirmed the price manipulation exploit in a Sunday post on Twitter, but stated that the AVAX/USD market would remain open despite imposing a $2 million cap on long positions and a $1 million cap on short positions.
We were notified of price manipulation of AVAX/USD on reference exchanges by monitoring systems and community members.
While we review the occurrence, open-interest for AVAX has been capped at $2m long / $1m short.
GLP and GMX trading markets continue to operate normally.
— GMX (@GMX_IO) September 18, 2022
Head of derivatives at Genesis Trading Joshua Lim was one of the first to analyze the exploit, stating that the exploiter “successfully extracted profits from GMX’s AVAX/USD market by opening large positions at 0 slippage” before transferring the AVAX/USD to centralized exchanges at a slightly higher price.
Lim said this exploit method was repeated five times, with the first cycle taking effect at 1:15 am UTC on Sunday. Each cycle transferred more than 200,000 AVAX, roughly $4-5 million per cycle, with the exploiter extracting about $565,000 in profit after paying spread to market makers on other exchanges.
3/ let’s take a look at the first cycle which took place from 01:15:31 to 01:28:11 UTC. X was able to extract roughly $158k in profit by trading clips of $4-5mm at a time pic.twitter.com/W6eu7Iz6lz
— Joshua Lim (@joshua_j_lim) September 18, 2022
Lim however noted that this wasn’t an “exploit” in that it was “GMX working as designed.”
Technical analyst Duo Nine added that the exploiter was able to take advantage of several large trades against GLP holders because the fixed prices supplied by the Chainlink-run oracles come with no price impact, which is what made the price manipulation exploit possible:
“If traders make profit, the liquidity providers lose. If traders exploit this vulnerability, the GLP holders may lose all their money!”
While GMX immediately capped short and long open interest for AVAX/USD to protect the DEX from further manipulation, Lim said that GMX may need to scrap its “zero price impact” feature despite it successfully onboarding many users to date:
“The real issue is GMX doesn’t reflect the true cost of liquidity like other venues do, it offers unlimited liquidity at a mid-market oracle price.”
The recent exploit comes only weeks after the founder of layer-2 DEX ZigZag, Taureau, said in a Sept. 2 video call that he doubted GMX’s exchange model would be sustainable over the long term, adding that a trader with the right strategy could wipe out GLP tokenholders:
Has $GMX built a viable system for the long-run?
— Flywheelpod (@flywheelpod) September 2, 2022
The news brought about mixed reactions from the GMX community. One Twitter user highlighted the fact that no smart contract was exploited, while another Twitter user asked GMX whether any compensation would be paid out to affected GLP holders.
The GMX token (GMX) is currently priced at $39.07, down 16.7% over the last 24 hours, according to CoinGecko.