Decentralized lending protocol Abracadabra.Money has suffered another devastating security breach, resulting in the loss of approximately $13 million worth of Ether (ETH).
The exploit, which was detected on March 25 by blockchain security firm PeckShield, specifically targeted pools utilizing GMX tokens.
This marks the second significant attack on the platform this year, following a $6.49 million breach in January that led to the depegging of its Magic Internet Money (MIM) stablecoin.
The recent incident saw malicious actors draining 6,260 ETH by exploiting vulnerabilities in Abracadabra’s smart contract infrastructure.
While the attack spread FUD (Fear, Uncertainty, & Doubt), the decentralized exchange was quick to distance itself, emphasizing that its contracts were unaffected and that the exploit was isolated to Abracadabra’s cauldrons.
As investigations continue, the stolen funds have been traced moving through Tornado Cash before being bridged from Arbitrum to Ethereum.
GMX Denies Contract Vulnerability as Investigation Unfolds
As news of the attack broke, speculation arose regarding GMX’s involvement since the affected cauldrons relied on GM tokens.
However, in an official statement, GMX asserted that its contracts remained secure, with a pseudonymous representative reiterating, “GMX contracts are not affected.”
Important security notice:
There appears to have been an exploit related to Abracadabra/Spell's cauldrons that utilise GM tokens, as noted by PeckShield and other security specialists monitoring the blockchain.
To clarify, no issues have been identified with GMX contracts, and…
— GMX
(@GMX_IO) March 25, 2025
Instead, the issue stemmed solely from Abracadabra’s lending pools, which enabled borrowing against GM liquidity tokens.
GMX Market (GM) tokens play an important role in the decentralized exchange’s ecosystem, generating fees from swaps and leveraged trading.
The cauldrons in Abracadabra’s lending protocol, which facilitate collateralized borrowing, were structured around these GM tokens.
The breach exploited a vulnerability in these smart contracts, allowing the attackers to steal funds without impacting GMX’s core infrastructure.
Abracadabra has since halted all borrowing across its cauldrons while its core contributors and external security experts, including Guardian Audits, work to assess the full scope of the damage.
The platform has also contacted the attacker, offering a 20% bug bounty as an incentive to return the stolen funds.
While security firms like Chainalysis have been enlisted to track the movement of the stolen ETH, the funds have already been obfuscated through Tornado Cash and consolidated into multiple addresses on Ethereum.
A Pattern of Exploits Amid Growing Theft
This latest exploit follows a similarly damaging attack on Abracadabra Money on January 30. The protocol lost $6.49 million due to vulnerabilities in its Ethereum-based cauldrons.
The incident led to MIM losing its peg to the U.S. dollar, dropping as low as $0.77 before recovering.
The January breach was attributed to a rounding issue that allowed an attacker to manipulate the “userBorrowPart()” function, repeatedly borrowing and repaying loans to drain funds.
The repercussions of these attacks have raised serious concerns about Abracadabra’s security infrastructure, particularly given that Guardian Audits had audited its cauldrons.
Despite these precautions, the latest attack indicates that existing security measures were insufficient to prevent further breaches.
Abracadabra has assured its users that a full post-mortem report will be released once the investigations conclude.
Notably, this latest attack is not the only one this month. According to a March 19 report, a sophisticated hacker attack on the AI-powered crypto trading bot AIXBT resulted in the theft of 55.5 ETH (approximately $106,200) after the attacker infiltrated the system’s secure dashboard.
Investigation report
At 2AM UTC, a hacker accessed a secure dashboard for @aixbt_agent autonomous system, queuing 2 malicious replies that led to 55 eth taken from a simulacrum wallet. Those funds don’t affect core systems or development, no impact on us.
Reiterating that this…
— rxbt
(@0rxbt) March 18, 2025
The breach allowed the hacker to queue fraudulent prompts, instructing the AI agent to transfer funds.
While AIXBT’s maintainers reassured users that the AI itself was not compromised, the incident led to immediate security upgrades, including server migrations and key swaps.
The attack also caused AIXBT’s associated token on Base to drop 15.5% before a slight recovery.
With the growing prevalence of sophisticated exploits in the DeFi space, platforms and protocols are urged to implement stricter security measures to ensure users’ funds are always safe.
The post Abracadabra.Money Loses $13M in ETH to Security Breach, Following $6.49M January Hack appeared first on Cryptonews.
https://cryptonews.com/news/abracadabra-money-loses-13m-in-eth-to-security-breach-following-6-49m-january-hack/
