Abracadabra.finance Exploited for $13M Through GMX Lending Pools

Abracadabra.Finance lost $13 million in a targeted attack on March 25, after a vulnerability in its GMX-linked lending pools — known as “cauldrons” — was exploited using a flash loan.

Blockchain sleuths, including Peck Shield, traced the theft to 6,262 ETH drained from the protocol. The attacker zeroed in on cauldrons using GM tokens, which represent liquidity positions on GMX, a decentralized exchange.

GMX was quick to clarify it wasn’t directly affected. Its contracts remained intact, with the team noting the exploit came from how Abracadabra had integrated GMX’s V2 pools into its own lending structure.

Crypto researcher Weilin Li broke down the method: the attacker used a flash loan to set up and then liquidate their own position. The trick was pulling this off inside a single block, pocketing the protocol’s liquidation rewards in the process. The design of GMX’s V2, where “keepers” fulfill trades in two steps, may have opened a narrow window that the exploiter used to their advantage.

Abracadabra confirmed the breach and is now working with security firm Guardian Audits, GMX, and others to investigate. It offered a 20% bug bounty and invited the attacker to start a conversation either onchain or via email.

The stolen funds have already been moved from Arbitrum to Ethereum, raising the risk that they’ll be laundered or dispersed through mixers.

This isn’t the first hit for Abracadabra. In early 2024, an exploit involving its stablecoin, Magic Internet Money (MIM), led to $6.5 million in losses and a brief depeg from the dollar.

While the team says no user collateral was touched this time, the breach puts more pressure on DeFi platforms relying on cross-protocol links. A single weak point — even in an audited contract — can turn into a payday for attackers with the right timing and tools.