Table of Contents
- Attack Method Analysis
- Does GMX Platform Have Vulnerabilities?
- Funds Destination and Historical Security Issues
Attack Method Analysis
Abracadabra/Spell’s “Cauldrons” is a smart contract that allows users to borrow against the liquidity pool of the decentralized exchange GMX. However, this attack manipulated the “liquidation mechanism” of the GMX V2 platform, resulting in the theft of funds. Cryptocurrency researcher Weilin (William) Li analyzed the operation of this attack on the social media platform X:
“The hacker executed a ‘self-liquidation’ attack using Flash Loan technology, without the need for any collateral.”
Flash loans are a special DeFi lending mechanism that allows users to borrow and repay within the same block without providing collateral. The hacker exploited this technology to manipulate Abracadabra’s stablecoin Magic Internet Money (MIM) lending and liquidation mechanism through a “seven-step process,” obtaining liquidation rewards as a source of profit.
Li added: “The attacker’s profit came from the liquidation rewards, as their account still maintained a sufficient balance during the execution of the final step.”
Does GMX Platform Have Vulnerabilities?
This attack is related to the trading mechanism of GMX V2. GMX has adopted a “two-step trading mechanism,” meaning that after a user places an order, the system first creates the order, which is then executed by specific “Keepers” to prevent “front-running” issues. However, this attack potentially exploited the “time difference between order creation and execution,” successfully disrupting the lending process.
Nevertheless, GMX developer @Jonas_ALA emphasized on the X platform: “The core contract of GMX was not affected; this attack targeted only Abracadabra’s Cauldrons. The development team is investigating the details of the attack and sincerely apologizes to all affected users.”
Funds Destination and Historical Security Issues
Currently, the hacker has bridged the stolen funds from the Arbitrum network to the Ethereum mainnet, making tracking and recovering the assets more difficult. It is worth noting that this is not the first time Abracadabra has faced an attack. In January 2024, the protocol’s stablecoin MIM was also maliciously manipulated, resulting in approximately $6.5 million in losses.
