Prominent blockchain security firm PeckShield reported an exploit involving the GMX decentralized exchange (DEX), which has brought attention to vulnerabilities within the Abracadabra (Spell) ecosystem.
The incident, tied to Abracadabra’s cauldrons – smart contracts that facilitate DeFi operations like lending, borrowing, and liquidity provision – led to the theft of approximately 6,260 Ethereum, worth roughly $13 million.
GMX Assures Contracts Remain Secure
While the attack has drawn considerable attention, GMX was quick to clarify that its contracts were not compromised. In fact, the issue was confined to the integration between GMX V2 and Abracadabra’s cauldrons, which use GMX’s liquidity pools for their operations. The team assured the community that it was not affected by the incident and confirmed that no vulnerabilities were found within GMX’s own smart contracts.
The team further explained that the Abracadabra team, along with external security researchers, was actively investigating the breach to determine its cause and prevent future incidents. This incident is particularly noteworthy as it highlights the continued security challenges within the broader DeFi ecosystem.
It also follows a previous security breach in January 2024 when Abracadabra’s Magic Internet Money (MIM) stablecoin was exploited due to a flaw in its smart contract. The exploit led to a loss of $6.49 million.
Flash Loan Attack
Crypto researcher Weilin (William) Li stated that the CauldronV4 contract permits users to perform multiple actions, with the solvency check occurring at the end of the process. In this case, the attacker performed seven actions, five of which involved borrowing the Magic Internet Money (MIM) stablecoin, followed by calling the attack contract and initiating liquidation.
Li’s initial analysis suggests that the first action, borrowing MIM, already increased the attacker’s debt, making the liquidation (action 31) possible. This liquidation, however, was suspiciously executed in a flash loan state – where the borrower had no collateral.
He also pointed out that the attacker profited from liquidation incentives and exploited the fact that the solvency check only occurred after all actions were completed, which allowed the attacker to circumvent the system’s protections.
Binance Free $600 (CryptoPotato Exclusive): Use this link to register a new account and receive $600 exclusive welcome offer on Binance (full details).
LIMITED OFFER for CryptoPotato readers at Bybit: Use this link to register and open a $500 FREE position on any coin!
