Abracadabra Offers $2.6M Bounty After $13M Exploit

DeFi Breach Tied to GMX Pools Sparks Security Concerns

Abracadabra.Money, a decentralized lending protocol known for minting the stablecoin Magic Internet Money (MIM), suffered a major security breach on March 25, 2025, losing approximately $13 million worth of Ethereum. The attack exploited smart contracts connected to GMX liquidity token pools—specifically, the protocol’s “cauldrons,” which function as core lending vaults. 

While early reports raised concerns about GMX itself, it was later confirmed that GMX’s own smart contracts remained untouched. The vulnerability existed solely within the Abracadabra-linked infrastructure that allowed borrowing against GMX liquidity positions.

The attacker executed a sophisticated exploit on the Arbitrum network, draining between 6,260 and 6,262 ETH. Forensic blockchain analysis by AMLBot and Cyvers showed that the perpetrator funded their address through Tornado Cash, a decentralized privacy mixer used to mask the origin of funds. The exploit focused on cauldrons utilizing GMX liquidity tokens as collateral. 

After exploiting the vulnerability, the attacker bridged the stolen ETH from Arbitrum to Ethereum’s mainnet and dispersed the funds across three fresh wallets. This added further complexity to tracking efforts, although security firms such as Chainalysis continue to monitor activity.

Despite prior code audits conducted by Guardian Audits—who had also vetted GMX’s core contracts—the exploited gmCauldron contracts failed to withstand the attack. The breach was not immediately flagged, as several transactions had already executed by the time the protocol responded. 

Abracadabra’s team, known as MIM Spell, swiftly confirmed the exploit and disabled borrowing from the affected cauldrons. To incentivize the return of funds, they offered a 20% bug bounty, equivalent to roughly $2.6 million, urging the attacker to reach out either via email or directly to the protocol’s Ethereum treasury address.

The fallout sent ripples through the market. GMX’s token dropped from $14.74 to $13.74—a near 5% decline—before rebounding slightly to $14.44 at the time of writing. Ethereum also dipped 1.45%, trading around $2,060.12 during the coverage window. 

GMX distanced itself from the exploit, stating publicly that the issue stemmed from Abracadabra’s use of GMX liquidity tokens, not any flaw in GMX’s native contracts. This distinction highlighted the risks inherent in DeFi composability, where vulnerabilities in one platform can cascade into others due to the interconnected nature of tokenized ecosystems.

No user collateral was reported as lost, though the exploit raised renewed concerns over the safety of funds locked in DeFi lending platforms. The use of advanced obfuscation tools like Tornado Cash and cross-chain bridges has become a recurring challenge for on-chain investigators. 

Meanwhile, this incident adds to Abracadabra’s troubled security history. The protocol had already suffered a $6.49 million exploit in January 2024 due to a bug in its userBorrowPart() function, which allowed repeated borrowing and repayment cycles to drain liquidity. That breach temporarily caused MIM to lose its dollar peg, falling as low as $0.77 before recovering.

On March 26, it was reported that Abracadabra Money's DAO treasury, holding around $19 million in assets, repurchased 6.5 million MIM, effectively covering 50% of the loss within 36 hours. The remaining losses are slated to be systematically addressed by mid-2025 through the treasury's funds. 

The project's proactive communication outlined its commitment to rebuilding trust while emphasizing a focus on enhanced security measures and future expansions, including new initiatives on Berachain, Nibiru, and Purrswap. Additionally, Abracadabra is collaborating with security experts to track stolen funds and has extended an offer for negotiations with the hacker in exchange for a bug bounty.

As the DeFi landscape matures, these attacks underscore systemic vulnerabilities that stem not just from unaudited code, but from the complexity of integrating multiple decentralized applications. Earlier this month, AIXBT, an AI-based crypto trading bot, was hacked for 55.5 ETH (~$106,000), further illustrating the growing threat posed by highly coordinated and technologically advanced actors. 

Calls for continuous auditing, real-time threat detection systems, and safer contract upgrade mechanisms are growing louder within the industry. The Abracadabra exploit has now become the latest case study in how fragile trust in composable DeFi ecosystems can be—and how quickly millions can vanish without ever compromising a single user wallet.

This article has been refined and enhanced by ChatGPT.