Hackers managed to drain funds from the platform’s smart contract system, referred to as “cauldrons,” in an attack valued at approximately $13 million. Peckshield, a leading security firm, reported that the exploit took advantage of a vulnerability in the protocol’s smart contracts, allowing the attacker to steal over 6,200 ETH.
How the Exploit Happened: Flash Loans and Liquidation Manipulation
Abracadabra/Spell’s cauldrons utilize liquidity from the GMX decentralized exchange for facilitating on-chain lending and borrowing. The attack appears to have been a well-crafted exploitation of the protocol’s interaction with GMX V2’s liquidity pools. Researchers suggest the attacker used a flash loan, a commonly employed DeFi strategy where users borrow funds without collateral, and manipulate the liquidation process within this context.
According to blockchain expert Weilin Li, the attacker took advantage of a specific feature in Abracadabra’s algorithmic stablecoin system, Magic Internet Money (MIM), which allowed them to borrow and subsequently liquidate funds in a way that bypassed standard collateral requirements. Li further explained that the attacker’s profits stemmed from incentives tied to liquidation events, ultimately ensuring the success of their exploit.
GMX V2: Two-Step Trading Process and the Exploit Surface
The exploit seems to have been made possible by a potential gap in GMX V2’s two-step trading process, designed to prevent front-running. This process involves “keepers,” who handle order creation and fulfillment. The interval between placing an order and its execution might have provided the attacker with a chance to manipulate the system. Despite this, GMX developers confirmed that their core contracts remained secure and unaffected by the breach.
A statement from a GMX developer clarified that the issue was tied to Abracadabra’s integration with GMX’s pools, rather than any weakness in GMX’s core system. The developer expressed their regret for the situation and reassured the community that an investigation was underway to determine the exact cause of the exploit.
Stolen Funds Moved to Ethereum
After the breach, the stolen funds were quickly bridged from Arbitrum, the layer 2 scaling solution, to the Ethereum mainnet. This event serves as a reminder of the vulnerabilities that can exist within the rapidly evolving world of decentralized finance.
This attack comes on the heels of a similar incident earlier in 2024, when Abracadabra’s MIM stablecoin was exploited, resulting in losses of nearly $6.5 million. The ongoing concerns regarding vulnerabilities in smart contract systems highlight the need for more robust security practices in the DeFi space.
Editorial Team
Reporter at Coindoo
Source: https://coindoo.com/defi-exploit-drains-millions-from-crypto-protocol/