Abracadabra Protocol Exploited, Hacker Drains $13M from Liquidity Pools

A security flaw in Abracadabra's smart contracts has led to a major exploit, with a hacker draining around 6262 ETH

A critical security flaw in Abracadabra’s smart contracts has been exploited by a hacker to steal around 6,262 ETH, valued at roughly $13 million, from the protocol’s liquidity pools. The exploit, identified as a flash loan exploit, was initially detected by blockchain security firm, PeckShield.

How Abracadabra’s lending system was exploited

Abracadabra’s lending system, known for its cauldrons that integrate with GMX liquidity pools for borrowing and lending, was the target of the exploit.

According to blockchain security researchers, the hacker manipulated the liquidation process in the GMX V2 integration. An unidentified weakness in this integration allowed the exploiter to withdraw funds from the protocol.

Further analysis by blockchain researcher, Weilin Li, revealed that the attacker used a large flash loan to trigger self-liquidation.

This was possible due to a property of GMX V2 that allows users to liquidate their positions if the price drops to the liquidation price. In this case, the attacker borrowed Magic Internet Money (MIM), Abracadabra’s stablecoin, and paid a liquidation premium to be immediately liquidated.

However, a GMX developer confirmed that the exploit did not affect GMX’s core contracts. The stolen funds were later transferred from Arbitrum to Ethereum.

What is known about the Abracadabra exploit

The exploit, which began on February 27, targeted Abracadabra’s cauldrons, specifically the integration with GMX V2 liquidity pools.

According to reports, the hacker used a large flash loan to trigger self-liquidation within a GMX V2 vault, rapidly draining a significant portion of Abracadabra’s liquidity.

The stolen funds were quickly moved and laundered through a series of transactions.

Exploiters used a new mixing service on Arbitrum to obfuscate the stolen coins.

Coins used in the exploit were later mixed again via a service on Ethereum.

The exploit was detected by blockchain security firm, PeckShield, who reported that a large sum of ETH had been rapidly withdrawn from Abracadabra’s cauldron on Arbitrum.

Afterwards, Abracadabra confirmed the exploit in a statement, disclosing that around 6,262 ETH had been stolen from the protocol.

The statement from Abracadabra read, in part:

“We are aware of a major exploit that has affected Abracadabra, specifically targeting our cauldrons and the integration with GMX V2 liquidity pools.

“An exploiter was able to manipulate the liquidation process in the GMX V2 integration to extract funds from the protocol. The exploiter used a large (for Arbitrum) flash loan to trigger self-liquidation of a GMX V2 vault and rapidly drained a portion of Abracadabra’s liquidity.”

What is known about Abracadabra

Abracadabra is a decentralized finance protocol that offers yield enhancement and borrowing/lending services. Its lending system, known as cauldrons, allows users to borrow and lend cryptocurrencies.

The protocol’s native stablecoin is Magic Internet Money (MIM), which is used for various DeFi activities. Abracadabra also integrates with other protocols and liquidity sources to expand its offerings.

Earlier in January, another exploit targeted Abracadabra’s MIM stablecoin, resulting in a $6.5 million loss.