Hack Strikes Abracadabra’s GMX-Linked Pools, Resulting in $13 Million Loss

Abracadabra.Money has suffered a loss of approximately $13 million in cryptocurrency following an exploit targeting GMX token-linked pools.

According to a 25 March post by cybersecurity firm PeckShield, contracts associated with both GMX and Abracadabra.Money were compromised, resulting in the theft of around 6,260 Ether.

This breach comes just months after Abracadabra.Money lost $6.49 million in January 2024 due to a similar smart contract exploit, which also caused its Magic Internet Money (MIM) stablecoin to lose its peg to the US dollar.

GMX Denies Smart Contract Breach

Inspite of initial reports, a pseudonymous GMX communications contributor clarified on X that "GMX contracts are not affected" by the exploit.

The contributor explained that GMX's involvement stems from the fact that MIM’s pools are based on GMX v2 pools.

GMX Market (GM) tokens, which play a central role in the GMX ecosystem by earning fees from swaps and leveraged trading, are integral to MIM’s pools—referred to as cauldrons—which offer isolated lending exposure.

In an official post, GMX confirmed that the hack targeted MIM’s pools using GM tokens but emphasized that no issues were found within GMX's contracts themselves, adding:

“We believe the issue relates solely to the Abracadabra/Spell cauldrons. These cauldrons allow for borrowing against specific GM liquidity tokens.”

After a thorough investigation, they issued another statement.

Tornado Cash Used by Hackers to bridge to Ethereum

Crypto forensics firm AMLBot offered a partial reconstruction of the exploit, detailing the hacker's steps.

The hacker’s address was initially funded via the Tornado Cash decentralised mixer, with those funds subsequently used to cover transaction fees for the malicious activities.

The stolen ETH was then transferred from the Arbitrum network to Ethereum through a blockchain bridge:

“The stolen funds, totaling 6,260 ETH, have been transferred from Arbitrum to Ethereum via a bridge.”

AMLBot’s investigations confirmed that the breach solely impacted Abracadabra.Money contracts, with no evidence suggesting any exploitation of GMX’s smart contracts during the attack.