GMX, a popular decentralized exchange, was manipulated in September, resulting in a loss of Liquidity Providers’ funds of $565,000. Who is to blame for the exploit and who will reimburse the investors’ funds is still being debated and will likely continue to be so. Just after two weeks, GMX successfully listed its tokens on Binance.
Recently a price manipulation attack on GMX DEX (Decentralized EXchange) allowed an exploiter to profit $565,000 on AVAX/USD pair, essentially taking the funds from the protocol and LP providers. GMX is a decentralized trading platform with more than $400M TVL. Unlike Uniswap model, GMX does not use Automated Market Makers. Instead, it maintains a price based on an external oracle feed. It also introduced an innovative Zero price impact slippage on trades and also a protocol allowing users to leverage their trades up to 30 times. These two features, combined, were used to perform the recent attack.
💡 Slippage is the term for the difference between the expected (current) price of a trade and the executed price of a trade. It can be caused by trades too large for the given liquidity pools. Each trade executed in a decentralized exchange impacts the pool or the price, that is how usual DEX's works (through the AMM algorithm). Slippage can also occur when someone with access to the transaction pool trades before your swap, changing the rate of the token pair.
On September 19th the exploiter traded back and forth on AVAX/USD pair with GMX zero slippage option with other side converting on centralized exchanges and this manipulated the oracle feed.
The AVAX pair was chosen since there was little liquidity on centralized exchanges for that asset.
Analysis of the GMX trade exploit. Source: Joshua Lim Twitter account
GMX reacted by applying a patch: limiting short long positions by $2mln and short positions by $1mln. However, the sustainability of this DEX model is under question. Duncan Reucassel, a researcher at Delphi Digital posted a tweet about possible directions:
1/ Time to address some $GMX FUD.
— Flood Capital (@FloodCapital) September 19, 2022
Recently a large trader took advantage GMX's zero slippage pricing on AVAX during a low liquidity weekend.
This limitation of GMX has been well known and established by myself and others many times.
It also has some very simple fixes. pic.twitter.com/DttHSPIgMu
It is even difficult to call this fraud since the user executed trades according to smart contract rules. In the real world, competitive market mechanisms would manage this whereby investors would switch to different platforms. In DeFi, however, we observe a situation when on October 5th, just two weeks after the incident, the two major exchanges, Binance and FTX announced listing of GMX tokens on their platforms.
GMX token price rose by 35% and it seems this mitigated the unfortunate events of September. At the time of writing the price fell again to a low of September 19th.
Decentralized exchanges are definitely an important segment of the DeFi markets but none of the models that exist so far (with an order book, AMM and oracle type) is trouble-free. As observers we are following the developments in all directions.
