On July 2024, GAX was exploited in a access control, resulting in approximately $50K in losses. That makes the GAX exploit the 269th largest DeFi incident out of 690 documented in our archive.
Attack Mechanics: How the GAX Access Control Played Out
Exploit Class Applied to GAX
The GAX incident on July 11, 2024 is classified as a Access Control. A privileged function lacks a proper authorisation check, letting an unauthorised caller execute it. In the full archive, GAX is 1 of 77 documented access control incidents.
GAX in Context
At $50K, the GAX exploit is a minor (<$1M) event compared to the largest same-class incident in our archive — Corkprotocol (2025) at $12M.
Prior Access Control Before GAX
The nearest access control incident before GAX was MetaDragon, 43 days earlier on May 29, 2024 ($180K lost). The same exploit class surfaced again within the access control attack surface.
GAX Vulnerability Signature
The primary source categorises the GAX exploit specifically as “Lack of access control”. This narrower label is entity-specific: it reflects how the GAX contract failed, rather than the broad access control pattern alone.
Impact & Recovery for GAX
GAX Loss Figure
The GAX exploit caused $50,000 in losses — a minor (<$1M) incident and the 78th largest of 188 documented in 2024.
Where GAX Sits Among Access Control Attacks
Ranked by loss size, GAX is the 30th largest of 77 access control incidents documented. That puts the GAX loss below the class average of $636K.
Timeline Since the GAX Incident
The GAX exploit occurred 1.8 years ago (642 days). The contract, its fork-block, and the attack transaction remain on-chain and forensically reproducible.
Primary Reference for GAX
Public post-mortem / on-chain analysis for the GAX incident: view source.
FAQ
How much did GAX lose?
The GAX exploit in July 2024 resulted in $50,000 in losses — the 78th largest of 188 DeFi incidents that year.
When did the GAX hack happen?
The GAX exploit was recorded on July 11, 2024 — 642 days ago.
What type of exploit hit GAX?
The GAX incident is classified as a Access Control. A privileged function lacks a proper authorisation check, letting an unauthorised caller execute it.
How common is the Access Control pattern seen at GAX?
Our archive contains 77 documented access control incidents. The GAX incident is one of them.
How does GAX compare to the largest Access Control attack?
The largest access control incident in our archive is Corkprotocol (2025) at $12M. The GAX loss is $50K.
What is a key challenge in constructing secure multi-party cross-chain protocols?
Designing a protocol that supports multi-party transactions without relying on centralized middleware or smart contracts is challenging.
Explain the minting phase in the context of the payment channel.
It converts plaintext currency into zero-knowledge currency, preparing funds for private transactions within the channel.