$13 million in ETH stolen

Abracadabra.Money, a decentralized lending platform, experienced a cyber attack that resulted in the loss of approximately 13 million dollars in Ethereum (ETH). 

The attack, aimed at pools linked to GMX tokens, has raised questions about the security of the platform. However, GMX has denied any vulnerabilities in its smart contracts.  

“`html

Details of the attack on Abracadabra.Money: 6,260 ETH stolen  

“`

According to the cybersecurity company PeckShield, on March 25, 6,260 ETH, equivalent to about 13 million dollars, were stolen from the contracts linked to Abracadabra.Money and the GMX pools.

The incident follows a previous attack that occurred at the end of January 2024, which had caused a loss of 6.49 million dollars and compromised the peg of the Magic Internet Money (MIM) token to the value of the US dollar.  

The attack highlighted possible vulnerabilities in the Abracadabra.Money contracts, although doubts remain about the involvement of GMX.  

Despite the initial hypotheses suggesting that the flaw was in the contratti GMX, a member of the platform’s communication team clarified that “the contracts of GMX have not been compromised.” 

The exponent explained that the GMX smart contracts were mentioned only because the MIM pools use pool GMX v2.  

GMX then released an official statement on X, specifying that the attack exclusively affected the MIM pools based on GM tokens. The platform stated:  

“We believe that the problem is solely related to the Abracadabra/Spell cauldrons. These cauldrons allow borrowing against specific GM liquidity tokens.”

This stance exempts GMX from any direct involvement in the vulnerability, leaving Abracadabra.Money alone in managing the consequences of the attack.  

Analysis of the attack: use of Tornado Cash and bridge to Ethereum  

The blockchain analysis company AMLBot has partially reconstructed the modus operandi of the hackers. According to the investigations:  

• – The first funding of the hacker’s wallet occurred through Tornado Cash, a decentralized mixer that allows obscuring the origin of criptovalute.  
• – Subsequently, the funds were used to cover the fees of the malevolent transactions.  
• – Once the operation was completed, the 6,260 ETH rubati were transferred from the Arbitrum network to Ethereum through a blockchain bridge.  

AMLBot also confirmed that only the Abracadabra.Money contracts were breached, while the GMX smart contracts were not compromised during the attack.  

This attack represents an additional challenge for the world of decentralized finance (DeFi), one of the areas most exposed to hacking risks. With more and more platforms based on smart contracts, security remains one of the main concerns for investors and developers.

Abracadabra.Money had already experienced a breach in January 2024, which resulted in a loss of nearly 6.5 million dollars and a destabilization of the MIM token. 

This new attack further tests the platform’s ability to ensure protection for users.  

GMX, for its part, reiterated that its contracts have not been breached, trying to dispel any doubts about the security of its platform. 

The management of communication by the companies involved will be crucial to maintain user trust and limit the repercussions on the market.  

“`html

Conclusions 

“`

The attack on Abracadabra.Money has once again highlighted the risks of DeFi, a rapidly growing sector but vulnerable to cyber attacks. The loss of 13 million dollars in ETH represents a significant blow for the platform and its users.  

The investigations by PeckShield and AMLBot have clarified that the flaw lies in the contracts of Abracadabra.Money, while GMX seems to be unrelated. 

However, the incident raises important questions about the security of interactions between DeFi protocols and the need for greater protection against exploits and malicious attacks.  

Abracadabra.Money will now have to face the consequences of the attack, implementing security measures to avoid future breaches and restore user trust in the protocol.