DeFi Protocol Abracadabra Hacked, Attacker Profits Over $13 Million by “Self-Liquidating”

Table of Contents

• Attack Method Analysis
• Does GMX Platform Have Vulnerabilities?
• Where the Funds Went and Historical Security Issues

Attack Method Analysis

Abracadabra/Spell’s “Cauldrons” are smart contracts that allow users to borrow and lend via the liquidity pools of the decentralized exchange GMX. However, this attack manipulated GMX V2’s “liquidation mechanism,” leading to the theft of funds.

Cryptocurrency researcher Weilin (William) Li analyzed the operation of this attack on social media platform X: “The hacker used Flash Loan technology to execute a ‘self-liquidation’ attack without any collateral.” Flash loans are a special DeFi borrowing mechanism that allows users to borrow and repay loans within the same block without providing collateral. The hacker exploited this technique by manipulating Abracadabra’s stablecoin Magic Internet Money (MIM) lending and liquidation mechanisms through a “seven-step process” to earn liquidation rewards as their profit source.

Li added: “The attacker’s profit came from liquidation rewards because their account still maintained sufficient funds when executing the final step.”

Does GMX Platform Have Vulnerabilities?

This attack is related to GMX V2’s trading mechanism. GMX employs a “two-step trading mechanism,” which means that when a user places an order, the system first creates the order, and then specific “Keepers” execute the trade to prevent “front-running” issues. However, this attack may have exploited the “time difference between order creation and execution,” successfully interfering with the lending process.

Nevertheless, GMX developer @Jonas_ALA emphasized on platform X: “GMX’s core contracts were not affected. This attack only targeted Abracadabra’s Cauldrons. The development team is investigating the details of the attack and deeply apologizes to all affected users.”

Where the Funds Went and Historical Security Issues

Currently, the hacker has bridged the stolen funds from the Arbitrum network to the Ethereum mainnet, making it more difficult to track and recover the assets. It is worth noting that this is not the first time Abracadabra has been attacked. In January 2024, the protocol’s stablecoin MIM was also maliciously manipulated, leading to a loss of approximately $6.5 million.