Abracadabra.Money’s GMX Pools Breached, Resulting In $13 Million Loss

Abracadabra suffered a $13 million loss in ETH due to a hack targeting pools linked to GMX, though GMX claims its smart contracts were not part of the vulnerability.

Approximately $13 million worth of cryptocurrency was drained from the decentralized lending protocol Abracadabra following an exploit targeting pools associated with GMX tokens.

On March 25, crypto cybersecurity firm PeckShield reported that contracts connected to Abracadabra and GMX had been compromised, leading to the loss of around 6,260 Ether (ETH), valued at approximately $13 million.

This incident comes after Abracadabra suffered a $6.49 million loss in late January 2024 due to a smart contract breach, which also caused its Magic Internet Money (MIM) stablecoin to lose its peg to the US dollar.

GMX Rejects Claims of Contract Vulnerability

Contrary to initial reports, a pseudonymous GMX representative asserted on X that “GMX contracts are not affected.” The contributor explained that the connection stems from MIM’s pools utilizing GMX v2 pools.

GM Market (GM) tokens are integral to the platform, accumulating fees from swaps and leveraged trading. Meanwhile, MIM’s pools, known as cauldrons, function as the protocol’s main offering, enabling isolated lending exposure.

In an official X post, GMX stated that the exploit targeted MIM’s pools utilizing GM tokens. The post emphasized that “no issues have been identified with GMX contracts” and further explained:

“We believe the issue relates solely to the Abracadabra/Spell cauldrons. These cauldrons allow for borrowing against specific GM liquidity tokens.”

As of publication, neither GMX nor Abracadabra had responded to inquiries regarding the incident.

Hackers Funnel Stolen Funds Through Tornado Cash and Ethereum Bridge

The attackers laundered the stolen assets by routing them through Tornado Cash, a privacy-focused mixing service. Following this, the funds were bridged to the Ethereum network, making tracking and recovery efforts more challenging.

Graphic tracking the hacked funds. Source: AMLBot

Forensics firm AMLBot provided an analysis of the exploit, revealing that the hacker’s address was initially funded through Tornado Cash, a decentralized cryptocurrency mixer. These funds were then used to cover transaction fees for the malicious activity.

Following the attack, the stolen ETH was moved from the Arbitrum network to Ethereum via a blockchain bridge. According to AMLBot:

“The stolen funds, totaling 6,260 ETH, have been transferred from Arbitrum to Ethereum via a bridge.”

AMLBot’s investigation also confirmed that only Abracadabra’s contracts were compromised in the attack, while GMX’s smart contracts remained unaffected.