Decentralized exchange GMX suffers $565K price manipulation 'exploit'
Decentralized exchange (DEX) GMX has reportedly suffered a price manipulation exploit from an exploiter who managed to make off with around $565,000 from the AVAX/USD market.
The unidentified exploiter is understood to have capitalized on GMX’s “minimal spread” and “zero price impact” features to pull off the exploit, which impacted GLP token holders who provided liquidity in the form of AVAX (the Avalanche token) to GMX.
GMX confirmed the price manipulation exploit in a Sept. 18 post on Twitter, but stated that the AVAX/USD market would remain open despite imposing a $2 million cap on long positions and $1 million cap on short positions.
We were notified of price manipulation of AVAX/USD on reference exchanges by monitoring systems and community members.While we review the occurrence, open-interest for AVAX has been capped at $2m long / $1m short.GLP and GMX trading markets continue to operate normally.
— GMX (@GMX_IO) September 18, 2022Head of Derivatives at Genesis Trading Joshua Lim was one of the first to analyze the exploit, stating that the exploiter “successfully extracted profits from GMX's AVAX/USD market by opening large positions at 0 slippage” before transferring the AVAX/USD to centralized exchanges at a slightly higher price.
Lim said this exploit method was repeated five times, with the first cycle taking effect at 01:15 UTC on Sept. 18. Each cycle transferred more than 200,000 AVAX tokens, (roughly $4-5 million per cycle) with the exploiter extracting about $565,000 in profit after paying spread to market makers on other exchanges.
3/ let's take a look at the first cycle which took place from 01:15:31 to 01:28:11 UTC. X was able to extract roughly $158k in profit by trading clips of $4-5mm at a time pic.twitter.com/W6eu7Iz6lz
— Joshua Lim (@joshua_j_lim) September 18, 2022Lim however noted that this wasn’t an “exploit” in that it was “GMX working as designed.”
Technical analyst “Duo Nine” added that the exploiter was able to take advantage of several large trades against GLP holders because the fixed prices supplied by the Chainlink-run oracles come with no price impact, which is what made the price manipulation exploit possible.
“If traders make profit, the liquidity providers lose. If traders exploit this vulnerability, the GLP holders may lose all their money!”While GMX immediately capped short and long open interest for AVAX/USD to protect the DEX from further manipulation, Lim said that GMX may need to scrap its “zero price impact” feature despite it successfully onboarding many users to date.
“The real issue is GMX doesn't reflect the true cost of liquidity like other venues do, it offers unlimited liquidity at a mid-market oracle price.”The recent exploit comes only weeks after the founder of Layer-2 DEX ZigZag “Taureau” said in a Sept. 2 video call that he doubted GMX’s exchange model would be sustainable over the long term, adding that a trader with the right strategy could wipe out GLP token holders:
Has $GMX built a viable system for the long-run?ZigZag Founder @taureau_21 has his doubts... and predicts eventually that a trader with the right strategy and proper size will wipe out $GLPFull Episode https://t.co/3k3oLdHFWq pic.twitter.com/MF2Qafxs57
— Flywheelpod (@flywheelpod) September 2, 2022Related: What are decentralized exchanges, and how do DEXs work?
Community Reaction
The news brought about mixed reactions from the GMX community. One Twitter user highlighted the fact that no smart contract was exploited, while another Twitter user asked GMX whether any compensation would be paid out to affected GLP holders.
On GMX, liquidity providers supply BTC, ETH, AVAX and stablecoins in exchange for the GLP token. The protocol was launched in late 2021 on Ethereum layer-2 scaling network Arbitrum.
The GMX token (GMX) is currently priced at $39.07, down 16.7% over the last 24 hours, according to CoinGecko.