Abracadabra Finance has confirmed a security exploit affecting its gmCauldron smart contracts, resulting in the theft of approximately $13 million and is taking steps to recover the funds.
The protocol has since disabled borrowing across all cauldrons and is working with blockchain security firms to track the stolen funds, according to a company statement.
The attack, which blockchain security firm PeckShield first flagged, targeted the integration between GMX decentralized exchange and Abracadabra’s lending contracts.
“The full damage of the attack is currently being assessed. We are working together with Guardian Audits, GMX, and other security peers to identify the execution of the hack,” the company posted.
Abracadabra noted that its gmCauldrons underwent audits by Guardian Audits before deployment and were integrated into multiple security monitoring systems — including Zeroshadow tracking and Hexagate response software. Despite these measures, the breach was only detected after the attacker executed multiple transactions.
The Zeroshadow team eventually alerted Abracadabra, prompting an immediate shutdown of all borrowing functions.
Blockchain analytics firm Chainalysis has been enlisted to track the stolen assets, which have been bridged from Arbitrum (ARB) to Ethereum (ETH) and consolidated into at least three addresses.
Abracadabra is offering the attacker a 20% bug bounty to return the remaining funds, stating:
“To the hacker, we are happy to entertain negotiations for a bug bounty of 20% of the total. Reach out at [email protected] or on-chain to our treasury address on ETH 0xDF2C270f610Dc35d8fFDA5B453E74db5471E126B.”
A full post-mortem of the latest exploit will be released once the investigation is complete, the company said.
