GMX Hacked for $40M, Hacker Returns Funds for $5M Bounty After On-Chain Appeal

Last week, the decentralized exchange GMX fell victim to a critical security vulnerability within its smart contract code, which was exploited by a hacker who effortlessly minted tokens and stole assets totaling $40 million. In the aftermath, GMX publicly addressed the attacker on-chain, appealing for the return of the stolen funds.

For the hacker, returning the funds would have secured a $5 million bounty offered by GMX—a legitimate white-hat reward that would not be subject to freezing or legal pursuit.

Conversely, if the hacker chose to keep the $40 million, their wallet addresses would be permanently blacklisted. While mixing services might obscure the trail of funds, the risk of legal consequences would remain exceedingly high.

In an on-chain message attached to a transaction, GMX conveyed the following:

“You’re clearly smart. Here’s $5M to do the right thing. You can keep 10% — just give back 90%, and we’ll let you live your best DeFi life without fear of legal chaos.”

Ultimately, the hacker agreed to the offer, returning the majority of the stolen assets while retaining $5 million in cryptocurrency as their reward. GMX went so far as to offer to provide legal or compliance documentation for the funds, ensuring the hacker would not face issues such as freezing or scrutiny when using the assets.

In essence, the incident concluded in a form of reconciliation: GMX recovered the bulk of the stolen funds with minimal loss, and the hacker received a substantial bounty for their skills—without facing legal repercussions.

However, the generosity of GMX’s $5 million reward has sparked discontent among some members of the security research community. Many researchers have received little to no compensation for responsibly disclosed vulnerabilities, prompting frustration over the apparent disparity.

Related Posts:

• Apple Appeals App Store Ruling in Epic Games Case
• Google Fights Back: Appeals Order to Sell Chrome Browser
• Apple Appeals €500M EU DMA Fine: Challenges “Unprecedented” Ruling on App Store Policies
• Microsoft re-launches Bounty Program: up to $100,000 in rewards
• Google Hit with $314M Verdict: Jury Rules Android Secretly Used Cellular Data for Tracking