Abracadabra.Money lost $13 million in an exploit that targeted liquidity pools using GMX tokens.
Abracadabra.Money lost $13 million in an exploit that targeted liquidity pools using GMX tokens. The hack drained 6,262 ETH, worth approximately $13 million. According to crypto security firm PeckShield, the breach involved vulnerabilities in the smart contracts of both GMX and Abracadabra.Money. The stolen funds were later transferred from Arbitrum to Ethereum using a blockchain bridge.
This hack follows a similar incident in January 2024, when Abracadabra lost $6.49 million due to compromised smart contracts. That exploit also caused Abracadabra’s Magic Internet Money (MIM) stablecoin to lose its peg to the U.S. dollar. This latest attack targeted Abracadabra’s “cauldrons,” which use GMX liquidity pools for decentralized lending and borrowing.
The attacker appeared to use a flash loan technique in the exploit, a process where the borrower takes out an uncollateralized loan and repays it within the same block. The hacker manipulated the liquidation process of Abracadabra's MIM using GMX V2’s GM pools. A researcher, Weilin Li, explained the process on X, stating that the attacker liquidated themselves in a flash loan state and profited from liquidation incentives.
In response, GMX denied that its smart contracts were affected, claiming the issue was confined to Abracadabra’s cauldrons. GMX noted that the breach occurred in Spell’s cauldrons, which are based on GMX V2’s GM pools. GMX also reassured the community that no vulnerabilities were identified within its core contracts.
A report from crypto forensics firm AMLBot confirmed that only Abracadabra’s smart contracts were breached, while GMX’s contracts remained untouched. The stolen funds were routed through Tornado Cash, a decentralized cryptocurrency mixer, and used to pay transaction fees for the malicious transactions. Afterward, the stolen ETH was moved from the Arbitrum network to Ethereum via a bridge.
Despite the extensive loss, both Abracadabra and GMX have yet to respond to inquiries about the incident. The stolen funds have now been transferred to Ethereum, and investigations into the breach continue. This attack highlights the ongoing vulnerabilities in decentralized finance (DeFi) protocols, as attacks exploiting smart contract weaknesses remain a serious concern for the industry.
This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators.
This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice.
The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap.
