Cryptocurrency lending service Abracadabra targeted in $13 million flash loan heist
In a shocking turn of events, the decentralised finance (DeFi) lending platform Abracadabra has suffered a significant exploit, resulting in the loss of approximately 6,262 Ether (ETH) worth around $13 million. This is not the first time Abracadabra has been targeted, as the platform lost $6.49 million and its Magic Internet Money (MIM) stablecoin depegged from the U.S. dollar in a previous hack in January 2024.
The attack was first alerted to the crypto community via the X platform. Security firms PeckShield, CertiK, and SlowMist also noticed the exploit. GMX, a decentralised exchange, has commented on the incident, stating that there appears to have been an exploit related to Abracadabra/Spell's cauldrons that utilise GM tokens.
According to crypto researcher Weilin (William) Li, the attacker used a seven-step process to borrow and liquidate Abracadabra's "Magic Internet Money" stablecoin. The exploit involved a flash loan attack, exploiting a vulnerability in how Abracadabra integrated GMX’s V2 liquidity pools into its lending pools.
The attacker used a flash loan to borrow a large amount of capital within a single transaction. They targeted Abracadabra's cauldrons, which used GM tokens representing liquidity positions on GMX. Because GMX’s V2 architecture executes trades in two steps fulfilled by "keepers," there was a narrow timing window. The attacker took advantage of this gap by setting up and liquidating their own position within the same block, thereby manipulating the protocol’s liquidation mechanics and capturing liquidation rewards improperly. This manipulation and rapid trade allowed them to drain the funds from Abracadabra’s smart contracts.
GMX has assured users that no issues have been identified with its contracts and they are not affected by the Abracadabra exploit. GMX has also tasked contributors from Spell, GMX, and security researchers to investigate the Abracadabra exploit issue.
While no further details about the perpetrator or the ongoing investigation have been disclosed, it is reasonable to infer that security firms PeckShield, CertiK, and SlowMist would be involved in post-incident analysis, alerting the community and affected users, offering mitigation recommendations, and possibly assisting in tracking stolen funds during investigations.
This exploit is classified as a flash loan attack combined with manipulation of integrated DeFi protocols, exploiting the interaction between Abracadabra's lending pools and the GMX V2 protocol’s design.
[1] PeckShield Alert: Abracadabra Exploit Analysis (peckshield.io) [2] CertiK Alert: Abracadabra Exploit Analysis (certik.org) [3] SlowMist Alert: Abracadabra Exploit Analysis (slowmist.io)
- The crypto community was initially alerted to the Abracadabra exploit through the X platform, with security firms PeckShield, CertiK, and SlowMist also confirming the news.
- As part of their post-incident analysis, it is reasonable to assume that security firms PeckShield, CertiK, and SlowMist will offer mitigation recommendations, alert the community, and potentially assist in tracking stolen funds during investigations.
