Hacker Returns Stolen Funds from $40M GMX Exploit
After accepting a $5 million white hat bounty offered by the GMX team, the attacker behind the $40 million GMX exploit has begun returning the stolen crypto. The exploiter, who targeted a liquidity pool on GMX v1, had previously drained various crypto assets from the platform after exploiting a design flaw to manipulate the value of GLP tokens.
The hacker's decision to return the funds comes after sending an onchain message promising to return the crypto. In the message, which was flagged by blockchain security firm PeckShield, the attacker wrote: "Ok, funds will be returned later." Just over 45 minutes later, the hacker started returning the stolen crypto.
At the time of writing, the address labeled GMX Exploiter 2 had returned approximately $9 million in Ether (ETH) to the Ethereum address specified by the GMX team in an onchain message. The attacker also returned about $5.5 million in FRAX tokens to the GMX team. Furthermore, they returned another $5 million in FRAX tokens to the GMX address.
According to PeckShield's analysis, about $20 million in assets had been returned to GMX as of the time of writing. The total amount recovered is significantly higher than the initial estimate of $10 million.
The Exploit and the Bounty
The exploit on Wednesday targeted a liquidity pool on GMX v1, which is the first iteration of the perpetual trading platform deployed on Arbitrum. The attacker exploited a design flaw to manipulate the value of GLP tokens, draining various crypto assets from the platform.
GMX offered a $5 million bounty to the attacker, promising that the amount would be categorized as a white hat bounty that the hacker could freely spend as soon as the funds were returned. The team also offered to provide proof of the source of funds should the hacker require it.
"You've successfully executed the exploit; your abilities in doing so are evident to anyone looking into the exploit transactions," GMX wrote. "The white hat bug bounty of $5 million continues to be available." This would allow the hacker to remove the risks associated with spending stolen funds.
The Implications
The GMX team also warned that they would pursue legal action in 48 hours if the funds were not returned. However, it appears that the hacker's decision to return the funds has averted any potential legal consequences.
It is worth noting that the hacker could have taken up to 10% of the stolen funds as a white hat bounty reward, but only if they returned 90% of the crypto to the addresses specified by the GMX team. Fortunately, it seems that the hacker has chosen to return significantly more than this threshold.
The incident highlights the complexities and nuances of bug bounties and white hat hacking. While the $5 million bounty may have incentivized the hacker to return the stolen funds, it also raises questions about the ethics and motivations behind such programs.