Hacker steals $13 million in Abracadabra's 'Magic Internet Money' seemingly using a flash loan attack
Quick Take A vulnerability in the protocol’s smart contracts allowed the attacker to drain approximately 6,262 ETH, valued at around $13 million, from the liquidity pools. The stolen funds have since been bridged from Arbitrum to Ethereum.
Several million dollars worth of tokens have been drained from DeFi protocol Abracadabra/Spell's “cauldrons” following a targeted hack, according to security firm Pecksheild. A vulnerability in the protocol’s smart contracts allowed the attacker to drain approximately 6,262 ETH, valued at around $13 million, from the liquidity pools.
Abracadabra/Spell's cauldrons are smart contracts that use decentralized exchange GMX liquidity pools for onchain lending and borrowing. The exploit seemingly involved manipulating the liquidation process in the integration of Abracadabra’s cauldrons on GMX V2’s GM pools.
“When performing the liquidation, the attacker actually LIQUIDATED himself within a FLASHLOAN state (P4) - where the borrower (who got liquidaited) has actually no collateral,” crypto researcher Weilin (William) Li said on X in an initial look at the situation. A flash loan is a DeFi-native trading strategy where a user takes out an uncollateralized loan and repays it within the same block.
Li added that the attacker used a seven-step process to borrow and liquidate a loan of Abracadabra’s algorithmic stablecoin Magic Internet Money. “And the attacker's profit comes from the liquidation incentives (because at the end of the function cook, the attacker's eoa needs to be solvent),” he said.
GMX V2 uses a two-step trading process where orders are created and fulfilled by “keepers” to prevent front-running. This window between order creation and fulfillment may have exposed a surface for the attacker to interfere, though a GMX developer noted that GMX’s core contracts were unaffected.
“To clarify, GMX contracts are not affected,” @Jonas_ALA said on X. “It relates to Spell's cauldrons based on GMX V2's GM pools. The contributors are currently looking into the cause, and I'd like to apologise wholeheartedly to anybody negatively affected. This is very unfortunate.”
The stolen funds have since been bridged from Arbitrum to Ethereum.
In January 2024, Abracadabra’s MIM stablecoin was manipulated leading to nearly $6.5 million worth of losses.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
Top Cryptos to Join for 2025? Qubetics Hits Stage 31 as Kaspa Scales PoW Speed Limits and Sonic Powers Through DeFi Frontiers
Explore the future of crypto with Qubetics, Kaspa, and Sonic. Dive into their latest features, updates, and why they’re top cryptos to join for 2025.Qubetics: The Multi-Chain Wallet RevolutionKaspa: Speed and Scalability Like Never BeforeSonic: Pushing DeFi BoundariesWhat’s Next for the Qubetics Multi-Chain Wallet?ConclusionFor More Information:
CleanSpark’s Bitcoin Center Wins Early Approval in Tennessee
CleanSpark’s Bitcoin data center project in Mountain City gets preliminary approval, promising jobs and tech upgrades.Economic Growth and Modern Mining TechnologyWhat’s Next for CleanSpark?
Meme Coins Are Pumping: Notcoin and Fartcoin Lead the Way—Is Troller Cat Next?
Discover Troller Cat's exclusive whitelist, Notcoin's latest updates, and Fartcoin's surge. Secure your spot in the $TCAT presale and explore top meme coins.Unlock Exclusive Access: Join the Troller Cat WhitelistNotcoin Flexes Big Numbers with $252M Market Cap and Rising VolumeFartcoin Hits $1.10 with Over $1B Market Cap and Major Trading VolumeConclusionFor More Information:
Bitcoin Dominance Surges to Two-Year High
Trending news
MoreCrypto prices
More
