DeFi Hacks in 2025: Can We Still Trust Protocols Like GMX and Kinto?

Mila Mostovaya

DeFi Crypto Hacks
DeFi Hacks in 2025: Can We Still Trust Protocols Like GMX and Kinto?

In 2025, the crypto market was once again forced to face reality: even mature and well-established DeFi protocols remain vulnerable. Over a single weekend in July, GMX and Kinto lost a combined total of over $40 million due to critical vulnerabilities in their smart contracts. These incidents not only undermined user confidence, but also raised the biggest question of the year: can DeFi protocols — even the most battle-tested ones — still be trusted?

The GMX V1 Exploit: What Went Wrong

In July 2025, GMX — a decentralized derivatives trading protocol (V1 on Arbitrum) — suffered a major hack. The attacker exploited a reentrancy vulnerability in GMX's smart contracts, managing to withdraw approximately $40–42 million in various assets from liquidity pools.

The nature of the exploit — a logical design flaw and the absence of a reentrancy lock — means that only the old GMX V1 contract was vulnerable. The GMX team emphasized that the GMX V2 protocol, its markets, and the GMX token were unaffected — the issue was limited to the GLP pool in V1. Blockchain analysts (including SlowMist) pointed out that the root of the problem was a flaw in the GLP price calculation mechanism through AUM, which allowed manipulation under certain smart contract conditions.

Notably, the vulnerability originated from an earlier fix: back in 2022, GMX patched a bug related to the global short update, but the change wasn’t audited — leaving a loophole for this new exploit.

This case clearly demonstrated how important it is to engage external audits for any modification of smart contracts, even if the changes seem insignificant.

The Kinto Backdoor Exploit: What Happened to the $K Token

Just a day after the GMX incident, on July 10, 2025, another DeFi project — Kinto — was attacked. During the attack, the $K token plummeted by more than 90% in just an hour.

The reason was a hidden vulnerability in the implementation of the token's smart contracts: the attacker exploited a backdoor in ERC-1967 standard proxy contracts.

If, when deploying a proxy, the special storage slot for the implementation address isn’t initialized, an attacker can insert a second implementation address (a so-called hacker proxy), which remains invisible to standard blockchain explorers. In Kinto’s case, this hidden contract gave the attacker admin rights over the $K proxy token on Arbitrum.

However, Kinto didn’t receive a timely warning and slipped through the cracks of the rescue team. The public disclosure of the vulnerability on July 9 inadvertently alerted attackers — within ~12 hours, the bug was already being exploited to target Kinto.

How Much Money Have Users Lost?

Thanks to the quick actions of the GMX team — and a bit of luck — GMX V1 users didn’t end up losing anything. Although over $40 million was initially withdrawn from the GLP pool, the GMX team quickly contacted the hacker and offered him an informal amnesty along with a white-hat bounty of 10% for returning the funds.

The GMX team emphasized that it would cover this “reward to the hacker” from its own reserves (bounty fund), ensuring full restoration of the pool’s balance and compensation for users. Thus, GLP token holders and GMX V1 traders avoided losses — although the pool’s liquidity dropped at the time of the attack, it returned to normal once the funds were recovered.

In the case of Kinto, the consequences for users were much more severe.

First, the attack led to an almost complete collapse in the value of the $K token, hitting investors and holders hard. The ~95% drop in price meant that those who held $K saw their assets depreciate tenfold.

Second, direct liquidity losses totaled approximately $1.55 million — these funds were drained from Uniswap pools and from the credit pool on the Morpho platform. Morpho’s liquidity providers (LPs) and lenders were affected — their USDC deposits were stolen against the collateral of the compromised $K token.

According to Kinto, at the time of the incident, Morpho depositors lost around $3.2 million, while borrowers — who had taken out loans against $K — still owed approximately $2.4 million, which remains repayable.

Can the GMX and Kinto Protocols Be Trusted After These Incidents?

In the case of GMX, although the protocol’s reputation took a hit, it was largely preserved thanks to the team’s prompt and responsible actions.

Many in the community viewed the incident as serious but not fatal. GMX is one of the largest DeFi protocols and had not previously experienced any major issues. Its response — especially the refund — was praised as exemplary.

The situation with Kinto is more delicate, to say the least. On the one hand, the team is also acting responsibly: it’s not hiding the problem and is actively working on compensation and technical solutions. On the other hand, the damage to Kinto’s credibility is substantial.

Key Takeaway

The DeFi world remains a high-risk space, where high yields coexist with the constant risk of sudden fund losses. The 2025 hacks of GMX and Kinto showed that even well-established projects can have vulnerabilities.

It’s important for users to balance trust with caution: only trust protocols to the extent that you’re prepared to lose the funds you’ve invested.

Even proven DeFi protocols aren’t immune to hacks — and maintaining trust in them requires ongoing verification. GMX and Kinto have been put to the test. And while both are working to restore their reputations, users are justified in remaining somewhat skeptical.

Trust is possible, but not blindly — only on the condition of transparency, regular audits, clear plans for compensation, and improved security.