A hacker has exploited a vulnerability in the smart contracts of decentralized finance (DeFi) protocol Abracadabra to withdraw approximately 6,262 ETH worth approximately $13 million from its liquidity pools.
The security breach, which apparently involved a flash loan attack, was first reported by blockchain security firm PeckShield.
Abracadabra’s lending mechanism, known as “cauldrons,” relies on GMX liquidity pools for on-chain borrowing and lending. The attacker allegedly manipulated the liquidation process of Abracadabra’s cauldrons in the integration of GMX V2’s GM pools, allowing them to withdraw funds from the protocol.
Cryptocurrency researcher Weilin (William) Li provided an early analysis of the attack on X (formerly Twitter), explaining that the attacker self-liquidated as a flash loan. Flash loans are a DeFi-specific mechanism that allows users to receive collateral-free loans provided that they repay them within the same transaction block.
According to Li, the hacker used a seven-step process to borrow money from Abracadabra’s algorithmic stablecoin, Magic Internet Money (MIM), and convert that debt into cash. The attacker’s profits came from liquidation incentives that allowed them to walk away with the stolen funds.
GMX V2 uses a two-stage trading process where orders are created and executed by “gatekeepers” to reduce front-running. However, this short execution window may have provided an opportunity for the attacker to intervene. Despite this attack, a GMX developer confirmed that GMX’s underlying contracts were not compromised.
Following the attack, the stolen funds were bridged from Arbitrum to Ethereum.
This is not the first time Abracadabra has been targeted. In January 2024, manipulation of its MIM stablecoin resulted in losses of approximately $6.5 million and raised concerns about the protocol’s vulnerabilities.
*This is not investment advice.
