GMX V2 is Mathematically Insolvent Two independent critical vulnerabilities allow physical drainage…

I am a security researcher who contacted the GMX Core Team directly via ticket #0116 on May 7, 2026.

Jsmzproduction

~2 min read · May 8, 2026 (Updated: May 9, 2026) · Free: Yes

The ticket was seen, immediately deleted, and access was blocked.

I am bypassing all bug bounty platforms due to repeated bad faith triage and now publishing this publicly.

The Core Accounting Flaw (MarketUtils.sol:403)

// MarketUtils.sol (partial, redacted) result.poolValue += lentImpactPoolUsd.toInt256();

The protocol adds lentPositionImpactPoolAmount (a liability — virtual debt owed to traders for positive price impact) directly into the poolValue used to calculate GM token price.

Mathematical Proof of Insolvency

Let:

Vphys V_{phys} Vphys: Physical assets in the pool (USDC + ETH)
L L L: lentPositionImpactPoolAmount (virtual debt)
S S S: Total GM token supply

GM Price=Vphys+LS \text{GM Price} = \frac{V_{phys} + L}{S} GM Price=SVphys+L

Solvency condition: Vphys≥S×GM Price V_{phys} \geq S \times \text{GM Price} Vphys≥S×GM Price Substituting: Vphys≥Vphys+L V_{phys} \geq V_{phys} + L Vphys≥Vphys+L

This inequality is mathematically impossible when L>0 L > 0 L>0.

The moment positive price impact creates virtual debt, the pool becomes physically insolvent. Early withdrawers drain real collateral. Late LPs hold worthless tokens.

I have fully functional Foundry PoCs for both vulnerabilities.

The first exploits the OrderCommitment logic + stale signatures / lookback arbitrage. The second compounds the NAV inflation vector.

Both allow an attacker to force lentAmount, inflate GM price, and drain physical assets exceeding their deposit.

What happened with ticket #0116 Sent directly to core team with PoCs and 3-hour private resolution ultimatum. Ticket seen → deleted → access blocked.

No response. No bounty offer. Only silence.

To the GMX Core Team and LPs LPs are currently depositing real USDC/ETH into a system that is mathematically insolvent the moment lentAmount > 0.

This is not FUD. This is code + math.

I still offer private resolution if a decision-maker reaches out immediately.

Otherwise full disclosure (including PoC details) will continue.

The clock is ticking.

— JSMZ

"Evidence from @JSMZproduction — May 8, 2026"

Tags: GMX Theori Vulnerability Research @i, I

#defi #bug-bounty #bugs #vulnerability #cryptocurrency

< Go to the original

GMX V2 is Mathematically Insolvent Two independent critical vulnerabilities allow physical drainage…

I am a security researcher who contacted the GMX Core Team directly via ticket #0116 on May 7, 2026.

Reporting a Problem