A $13 million heist just hit DeFi protocol Abracadabra.
The attack exploited a weakness in smart contracts tied to GMX V2. About 6,262 ETH, worth $13 million, was drained. This isn’t Abracadabra’s first big loss.
Here’s what happened:
– The attacker used a flash loan to “liquidate” themselves.
– They borrowed and then liquidated a loan of Abracadabra’s Magic Internet Money (MIM) stablecoin in a 7-step process.
– The gain came from incentives for liquidation, as the contract requires the attacker’s account to remain solvent at the end.
The weak point was a timing issue in GMX V2’s two-step process for executing orders. The attacker interfered during this window, but GMX’s core contracts weren’t affected.
“After clarification, GMX contracts were not affected,” said Jonas_ALA, a GMX developer. “This relates to Spell’s cauldrons based on GMX V2 pools. Collaborators are investigating the cause, and I’d like to offer a sincere apology to those affected.”
This isn’t the first incident for Abracadabra. In January 2024, its MIM stablecoin was manipulated, resulting in $6.5 million in losses.
These repeated attacks show the ongoing vulnerability in some DeFi protocols. They highlight the need for continuous security audits and improvements in automated process operation windows.
The DeFi community is concerned. Security experts warn that these vulnerabilities can continue to be exploited if liquidation mechanisms and verification processes aren’t redesigned.
For now, Abracadabra developers and users must wait for the investigation results to see if any funds will be reimbursed or if measures will be taken to prevent future attacks.