Hacker steals $13 million in Abracadabra's 'Magic Internet Money' seemingly using a flash loan attack
Quick Take A vulnerability in the protocol’s smart contracts allowed the attacker to drain approximately 6,262 ETH, valued at around $13 million, from the liquidity pools. The stolen funds have since been bridged from Arbitrum to Ethereum.
Several million dollars worth of tokens have been drained from DeFi protocol Abracadabra/Spell's “cauldrons” following a targeted hack, according to security firm Pecksheild. A vulnerability in the protocol’s smart contracts allowed the attacker to drain approximately 6,262 ETH, valued at around $13 million, from the liquidity pools.
Abracadabra/Spell's cauldrons are smart contracts that use decentralized exchange GMX liquidity pools for onchain lending and borrowing. The exploit seemingly involved manipulating the liquidation process in the integration of Abracadabra’s cauldrons on GMX V2’s GM pools.
“When performing the liquidation, the attacker actually LIQUIDATED himself within a FLASHLOAN state (P4) - where the borrower (who got liquidaited) has actually no collateral,” crypto researcher Weilin (William) Li said on X in an initial look at the situation. A flash loan is a DeFi-native trading strategy where a user takes out an uncollateralized loan and repays it within the same block.
Li added that the attacker used a seven-step process to borrow and liquidate a loan of Abracadabra’s algorithmic stablecoin Magic Internet Money. “And the attacker's profit comes from the liquidation incentives (because at the end of the function cook, the attacker's eoa needs to be solvent),” he said.
GMX V2 uses a two-step trading process where orders are created and fulfilled by “keepers” to prevent front-running. This window between order creation and fulfillment may have exposed a surface for the attacker to interfere, though a GMX developer noted that GMX’s core contracts were unaffected.
“To clarify, GMX contracts are not affected,” @Jonas_ALA said on X. “It relates to Spell's cauldrons based on GMX V2's GM pools. The contributors are currently looking into the cause, and I'd like to apologise wholeheartedly to anybody negatively affected. This is very unfortunate.”
The stolen funds have since been bridged from Arbitrum to Ethereum.
In January 2024, Abracadabra’s MIM stablecoin was manipulated leading to nearly $6.5 million worth of losses.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
FDIC Opens Doors for Banks to Engage in Crypto Activities
Terraform Labs to Open Crypto Loss Claims Portal on March 31
Hyperliquid announces new fully on-chain validator voting feature for asset delisting
Trump: Tariffs on Canada will definitely be implemented
Trending news
MoreCrypto prices
More
