Abracadabra Hack

On March 25, 2025, Abracadabra Money, a DeFi protocol enabling borrowing of its Magic Internet Money (MIM) stablecoin against interest-bearing tokens, suffered a $13.4 million exploit targeting its GmxV2 CauldronV4 smart contracts integrated with GMX V2’s non-atomic deposit system. The attacker exploited flawed collateral accounting in the Cauldron’s orderValueInCollateral() function, which failed to update internal state variables (inputAmount, minOut, minOutLong) after failed GMX deposits or liquidations. Using a multi-step flash loan attack, the attacker initiated a deliberately failed GMX deposit to create “phantom collateral,” borrowed MIM, self-liquidated their position to extract real USDC from the RouterOrder via sendValueInCollateral(), and re-borrowed against the unchanged collateral value, bypassing the _isSolvent() check. This process, executed via the cook() function across 56 transactions over 100 minutes, drained ~6,262 ETH (~$13.4M) from five GM Cauldrons. The stolen funds were bridged from Arbitrum to Ethereum. The attack began with wallets funded via Tornado Cash, with one deploying the exploit contract (0xf29120acd274a0c60a181a37b1ae9119fe0f1c9c). Abracadabra paused borrowing, nullified the orderAgent, recovered $260,000 in trapped funds, and integrated Hexagate for monitoring, though the DegenBox vault was not initially covered. A 20% bounty (~$2.58M) was offered for fund recovery, and coordination with Guardian Audits, Chainalysis, and Seal 911 aided forensics. The MIM price dropped 10% ($1.20 to $1.08), and GMX fell 15% ($55.20 to $46.92). A prior January 2024 hack cost $6.5M, highlighting recurring vulnerabilities. The incident underscores the need for rigorous invariant testing, intermediate solvency checks, restricted self-liquidation, and post-integration audits to mitigate risks from complex DeFi interactions.