Decentralized derivatives exchange GMX said on Wednesday that users impacted by last month’s $42 million exploit of its Arbitrum-based GLP pool can now claim compensation through its app.
The platform will distribute around $44 million worth of assets — covering recovered funds plus $2 million from GMX’s treasury — entirely in GLV, a new liquidity vault token introduced for GMX V2.
The July 9 incident, caused by a reentrancy bug in GMX V1, allowed an attacker to manipulate the pool’s asset-under-management calculations and withdraw more than their initial deposit. Within hours, GMX offered the attacker a 10% bounty for returning the remaining funds, which the exploiter accepted.
Eligible claimants will receive equal allocations of GLV [BTC-USDC] and GLV [WETH-USDC], translating to roughly 25% wrapped bitcoin, 25% ether, and 50% stablecoins — mirroring the original GLP exposure.
In addition, GMX is creating a $500,000 GLV incentive pool for recipients who keep their tokens for at least three months without selling or transferring them, rewarding holders with a pro-rata share.
The distribution marks what GMX called “a favorable resolution” to the incident, which had been one of the year’s largest DeFi exploits by value.
The announcement comes nearly a month after hacker behind the $40 million exploit has begun returning stolen funds, days after the protocol offered a $5 million bounty and promised no legal action if most of the crypto was sent back.
The breach targeted GMX’s V1 liquidity pool on Arbitrum, draining a mix of assets including USDC, FRAX, WBTC, and WETH. The attack, triggered by a re-entrancy bug in the platform’s OrderBook contract, allowed the exploiter to manipulate short positions on BTC, inflate the price of GLP tokens, and cash out with a hefty profit. GMX responded by freezing all V1 trading and minting on both Arbitrum and Avalanche.
The attacker responded to GMX’s onchain bounty message with a blunt reply: “ok, funds will be returned later.” Blockchain analytics firm PeckShield flagged the message and confirmed the exploiter had returned $5.5 million in FRAX, followed by another $5 million shortly after. ETH transfers totaling around $30 million were also tracked back to GMX’s deployer address.
The hacker had 48 hours to comply or face legal action. GMX’s public bounty offer, equal to 10% of the stolen sum, remains available from its treasury.
