Abracadabra Hacked for $13M, Offers Hacker 20% Bounty to Return Funds

How the Exploit Unfolded

The exploit was discovered on March 25, with on-chain analytics firm PeckShield identifying the incident and confirming the loss of 6,260 ETH, valued at roughly $13 million USD at the time of the attack. The funds were reportedly drained through multiple transactions before any alerts could be raised.

The attacker took advantage of vulnerabilities in gmCauldrons, which allow users to borrow against GM tokens representing positions in GMX’s V2 liquidity pools. These cauldrons are smart contracts designed to hold collateral and manage lending interactions. Despite undergoing prior audits, they were exploited due to a combination of flawed assumptions in contract logic and a lack of early detection.

GMX Responds: “Core Protocol Unaffected”

In the aftermath, GMX moved quickly to clarify that the vulnerability did not originate from its own protocol. In a statement shared via social media, a GMX representative said:

“To clarify, GMX contracts are not affected. This incident is specific to Abracadabra/Spell’s cauldrons that use GMX V2's GM pools. We’re in communication with the affected parties.”

This clarification eased some concern in the broader DeFi community, which initially feared the exploit might have originated from a vulnerability in GMX itself.

Abracadabra Reacts with Bounty Offer

In an effort to recover funds, Abracadabra Finance has taken a conciliatory approach — offering the attacker a 20% bug bounty, roughly worth $2.6 million, if the remaining funds are returned.

“To the hacker, we are happy to entertain negotiations for a bug bounty of 20% of the total,” Abracadabra stated.

This tactic mirrors other recent DeFi responses to hacks, where platforms attempt to engage with attackers as "white-hat hackers" rather than immediately pursuing law enforcement or legal avenues.

Abracadabra also assured users that Chainalysis, a leading blockchain forensics firm, has been engaged to trace the movement of funds. Initial tracking shows that the stolen ETH has already been bridged from Arbitrum to Ethereum mainnet and distributed among at least three wallet addresses, making recovery efforts more complex.

Security Measures Questioned

Abracadabra emphasized that the affected cauldrons had passed security audits conducted by Guardian Audits and were actively monitored by software solutions like Zeroshadow and Hexagate. However, these safeguards failed to prevent or flag the exploit in time.

The company has launched an internal investigation and announced that a detailed post-mortem will be made public after its completion.

This exploit adds to a growing list of recent DeFi protocol hacks, raising fresh concerns over smart contract vulnerabilities and the adequacy of current auditing practices.

DeFi’s Ongoing Struggle with Security

The DeFi industry, while innovative and fast-growing, continues to grapple with security threats. In 2024 alone, blockchain security platforms estimated over $1.2 billion in crypto assets were stolen via DeFi exploits, underscoring the persistent risks despite increasing investment in audits and monitoring tools.

The situation also underscores the fragility of interoperability between protocols. As DeFi becomes more composable — with one protocol depending on the smart contracts of another — a single weak link can have devastating cascading effects.

Eyes on the Attacker as DeFi Awaits the Next Move

As Abracadabra works to contain the damage and possibly recover funds, the exploit serves as another stark reminder for developers and investors alike: in DeFi, security is never absolute. Whether or not the attacker accepts the bounty and returns the funds remains to be seen. For now, the crypto community will be watching closely — and auditing their own protocols — as the dust settles from yet another multimillion-dollar exploit.