QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$12 944 000 USD
MARCH 2025
GLOBAL
ABRACADABRA MONEY
DESCRIPTION OF EVENTS
Abracadabra Money is an omnichain DeFi lending platform that enables users to mint Magic Internet Money (MIM), a USD-pegged stablecoin, by using interest-bearing tokens as collateral. With over $142 million in total value locked and a robust ecosystem that includes borrowing cauldrons, staking, and liquidity pools, Abracadabra offers deep liquidity, cross-chain operability, and strong community governance through its SPELL token. The platform’s design emphasizes decentralization, user empowerment, and seamless cross-chain functionality, making it a key player in the DeFi space.
"Abracadabra.money is a Omnichain DeFi lending platform that works its magic by utilizing interest-bearing tokens as collateral to mint Magic Internet Money (MIM), a USD-Denominated stablecoin.
Abracadabra unlocks the capital of interest bearing assets, allowing users to take on USD-denominated loans while their collateral keeps earning yield. Abracadabra also offers staking strategies, which allows non-yielding assets to start earning yield in a very simple, secure and efficient way."
Guardian Audits was the firm which audited the smart contract. "The exploit waltzed through their review while they were busy catching other bugs in the same codebase - they spotted multiple issues but completely missed how a failed deposit and self-liquidation could create a phantom collateral position that remained borrowable."
"The Setup: Deposit into GMX, but make it fail. The tokens don’t return to the attacker. Instead, they get stuck in the OrderAgent contract, waiting to be claimed.
The Misdirection: Borrow funds and push the position into liquidation. Everyone focuses on the liquidation, but the real trick is already in motion.
The Switch: Self-liquidate. The contract wipes the position but forgets to scrub the order. The collateral? Still hanging around like an unpaid bar tab.
The Reveal: Borrow against a ghost. The system, blissfully unaware, still sees the liquidated position as good collateral. 6,260 ETH exits stage left—while everyone’s eyes are on the wrong trick."
6,260 ETH x $2,067.76 = $12944177.6
Abracadabra Money tweeted that they are aware of an exploit affecting their gmCauldrons and have launched an in-depth investigation with core contributors and security engineers. Despite having undergone full audits by @GuardianAudits and being integrated with advanced monitoring tools like @zeroshadow_io and @hexagate_, the exploit was only detected after several malicious transactions. Borrowing was immediately disabled across all cauldrons once alerted. Importantly, no user collateral was impacted, and the issue is isolated to the gmCauldrons. The team is collaborating with @GMX_IO, @chainalysis, and other partners to assess the damage and trace the stolen funds, currently consolidated at a known wallet address. Abracadabra is also open to negotiating a 20% bug bounty with the attacker and will release a full post-mortem soon.
"Abracadabra rushed out their "Path Forward" document the day after the exploit, promising to buy back 6.5 million MIM and cover half the damage upfront."
"The stolen funds (6,260 ETH in total) were bridged from Arbitrum to Ethereum"
"Abracadabra paused all borrowing and trotted out a 20% bounty offer, but the attacker had already split town with their 6,260 ETH."
"Guardian Audits skipped the usual blame-shifting dance and owned their miss when Rekt News came knocking." "Their response? Double the security squad and slap on invariant testing - a rare sign that at least one audit shop cares more about actual security than collecting protocol badges."
Abracadabra Money is a cross-chain DeFi lending platform that allows users to mint a USD-pegged stablecoin, Magic Internet Money (MIM), using interest-bearing tokens as collateral. Despite its robust ecosystem, including over $142 million in TVL and extensive audits, the platform recently suffered a major exploit due to a flaw in its gmCauldrons. The attacker manipulated a failed deposit and self-liquidation to create phantom collateral, ultimately stealing 6,260 ETH (over $12.9 million). While no user collateral was affected, the incident highlighted audit oversights and has prompted Abracadabra to pause borrowing, launch an investigation, and offer a 20% bounty. They also pledged to buy back 6.5 million MIM and cover half the losses upfront.
Abracadabra - Rekt II (Apr 16)
Malicious Attack Transaction - Arbiscan (Apr 16)
Abracadabra Money Homepage (Apr 16)
Abracadabra Money - The Path Forward (Apr 16)
Abracadabra Money - "The Zeroshadow team alerted us and we quickly turned off all borrows to all cauldrons... To the hacker, we are happy to entertain negotiations for a bug bounty of 20% of the total." - Twitter/X (Apr 17)
hklst4r - "The CauldronV4 contract allows user to perform multiple actions while the solvency check is at the end of all actions. (P1)" - Twitter/X (Apr 17)
Ethereum Price History and Historical Data | CoinMarketCap (Dec 21)
Abracadabra loses $13 million in "Magic Internet Money" (May 14)
