How a Reentrancy Bug in GMX Exploited AUM Logic to Steal $40M — And Why No One Saw It Coming

The Attack Vector: A Reentrant Trap

The GMX exploit began when attackers called unstakeAndRedeemGlp—intentionally passing a smart contract address instead of an EOA into executeDecreaseOrder. This bypassed the expected validation layer, letting the attacker re-enter the redemption loop mid-execution. Each recursive call inflated the AUM calculation: AUM = total token pool value − unrealized losses − reserved amounts.

The Leverage Amplifier

enableLeverage was enabled, turning GLP into a leveraged position. Attackers opened massive WBTC short positions before redemption. As GLP was withdrawn, the system recalculated AUM using stale data—where unrealized losses weren’t yet settled—but treated as real assets. This created an artificial surplus, allowing attackers to claim far more than their proportional share.

Why It Worked: Broken Trust in Logic

This wasn’t a bug in code—it was a failure of assumptions. We assumed EOA inputs were safe; we didn’t validate caller identity at the state transition level. In DeFi, trust should be zero-sum—not optimistic.

The Aftermath: Systemic Risk Lingers

AUM wasn’t meant to be dynamic or speculative—it was supposed to be an oracle of true exposure. But when leverage and reentrancy collide without guardrails, even elegant math becomes weaponized.

I’ve reviewed this transaction on Arbitrum (0x03182d3f…). The flaw is architectural—not accidental. If your protocol doesn’t audit external calls as strictly as it audits balances—you’re not building DeFi. You’re building a casino.