Abracadabra Drained of $13M in Exploit Targeting Cauldrons Tied to GMX Liquidity Tokens

Decentralized lending platform Abracadabra.Finance suffered an attack that drained $13 million worth of cryptocurrency from pools tied to GMX liquidity tokens.

Blockchain security firm PeckShield flagged that contracts involving decentralized exchange GMX and Abracadabra were compromised, leading to the theft of 6,260 ETH, worth around $12.98 million at the time of writing.

The exploit focused on so-called "cauldrons," isolated lending markets in Abracadabra where users can borrow against crypto collateral. These particular cauldrons relied on GM tokens, which represent liquidity positions in GMX, a decentralized exchange platform.

GMX distanced itself from the incident. In a post on X, an account associated with the exchange said that GMX’s contracts themselves were unaffected. The team later said the breach was “solely related to the Abracadabra/Spell cauldrons,” which used GM tokens as collateral but did not involve GMX’s core infrastructure.

In a statement on X, Abracadabra confirmed the exploit and said core contributors and engineers were investigating the incident to its “fully audited” cauldron. The protocol noted that gmCauldrons had been audited by Guardian Audits — the same firm that audited GMX contracts — and were part of a broader security infrastructure involving monitoring and response tools.

The protocol offered the attacker a 20% bug bounty and invited them to negotiate via email or an on-chain message.

Abracadabra is working with Guardian and GMX as well as other security partners in assessing the extent of the damage and how the attack was executed. A full post-mortem will follow once the investigation concludes, and no user collateral was affected, it said.

Last year Abracadabra.Finance suffered a $6.49 million exploit that caused its Magic Internet Money (MIM) stablecoin to lose its peg to the U.S. dollar.