Hacker steals $13 million in Abracadabra's 'Magic Internet Money' seemingly using a flash loan attack
Quick Take A vulnerability in the protocol’s smart contracts allowed the attacker to drain approximately 6,262 ETH, valued at around $13 million, from the liquidity pools. The stolen funds have since been bridged from Arbitrum to Ethereum.
Several million dollars worth of tokens have been drained from DeFi protocol Abracadabra/Spell's “cauldrons” following a targeted hack, according to security firm Pecksheild. A vulnerability in the protocol’s smart contracts allowed the attacker to drain approximately 6,262 ETH, valued at around $13 million, from the liquidity pools.
Abracadabra/Spell's cauldrons are smart contracts that use decentralized exchange GMX liquidity pools for onchain lending and borrowing. The exploit seemingly involved manipulating the liquidation process in the integration of Abracadabra’s cauldrons on GMX V2’s GM pools.
“When performing the liquidation, the attacker actually LIQUIDATED himself within a FLASHLOAN state (P4) - where the borrower (who got liquidaited) has actually no collateral,” crypto researcher Weilin (William) Li said on X in an initial look at the situation. A flash loan is a DeFi-native trading strategy where a user takes out an uncollateralized loan and repays it within the same block.
Li added that the attacker used a seven-step process to borrow and liquidate a loan of Abracadabra’s algorithmic stablecoin Magic Internet Money. “And the attacker's profit comes from the liquidation incentives (because at the end of the function cook, the attacker's eoa needs to be solvent),” he said.
GMX V2 uses a two-step trading process where orders are created and fulfilled by “keepers” to prevent front-running. This window between order creation and fulfillment may have exposed a surface for the attacker to interfere, though a GMX developer noted that GMX’s core contracts were unaffected.
“To clarify, GMX contracts are not affected,” @Jonas_ALA said on X. “It relates to Spell's cauldrons based on GMX V2's GM pools. The contributors are currently looking into the cause, and I'd like to apologise wholeheartedly to anybody negatively affected. This is very unfortunate.”
The stolen funds have since been bridged from Arbitrum to Ethereum.
In January 2024, Abracadabra’s MIM stablecoin was manipulated leading to nearly $6.5 million worth of losses.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
Unraveling Bitcoin’s Stability Amidst $359.7M Liquidations: The How and Why
Unpacking the Factors Behind Bitcoin's Resilient Conduct in the Face of a Massive Long Liquidation Event
Viral Fame, Volatile Finance: SEC Closes Book on ‘Hawk Tuah’ Crypto Drama
FSCA Warns South African Investors to Steer Clear of Unlicensed Crypto Firms
T-Mobile Hit With $33M SIM Swap Award Over Crypto Theft
Trending news
MoreCrypto prices
More
