SPELL and GMX Drop After $13 Million Hack
A daring attack on DeFi protocol Abracadabra saw $13 million disappear in a flash, raising concerns about smart contract security in the decentralized finance industry.
According to information from blockchain security firm PeckShield, a vulnerability in Abracadabra’s smart contract was exploited by hackers, leading to the withdrawal of approximately 6,262 ETH – equivalent to $13 million – from the protocol’s liquidity pools.
The attacker used a flash loan technique, a trading strategy typical of DeFi, to manipulate the liquidation process in Abracadabra’s “cauldrons” system. The stolen funds were then transferred from the Arbitrum network to Ethereum, making it difficult to trace.
Cryptocurrency researcher Weilin (William) Li’s preliminary analysis on X shows that the hacker liquidated the loan in a flash loan state, taking advantage of the lack of collateral. The complex process involves seven steps, in which the attacker borrows Magic Internet Money (MIM) – Abracadabra’s algorithmic stablecoin – and takes advantage of liquidation incentives to profit.
The hacker’s profit comes from the liquidation reward, as the attacker’s account must ultimately be solvent.
The incident also directly affected the GMX exchange. The platform uses a two-step transaction process with the participation of “keepers” to minimize front-running. However, the time between order creation and execution may have created a loophole for hackers to intervene. However, GMX representatives confirmed that GMX’s smart contract was not affected. The issue related to Abracadabra’s cauldrons is based on GMX V2’s GM pools.
