Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/abracadabramoneydepositfailselfliquidatevulnerability.php}} {{Unattributed Sources}} Abracadabra Money Logo/HomepageAbracadabra Money is a cross-chain DeFi lending platform that allows users to mint a USD-pegged stablecoin, Magic Internet Money (MIM), using interest-bearing tokens as collateral. Despite its robust ecosystem, including over $142 millio..."

2025-04-22T22:20:08Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/abracadabramoneydepositfailselfliquidatevulnerability.php}} {{Unattributed Sources}} thumb|Abracadabra Money Logo/HomepageAbracadabra Money is a cross-chain DeFi lending platform that allows users to mint a USD-pegged stablecoin, Magic Internet Money (MIM), using interest-bearing tokens as collateral. Despite its robust ecosystem, including over $142 millio..."

New page

{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/abracadabramoneydepositfailselfliquidatevulnerability.php}}
{{Unattributed Sources}}

[[File:Abracadabramoney.jpg|thumb|Abracadabra Money Logo/Homepage]]Abracadabra Money is a cross-chain DeFi lending platform that allows users to mint a USD-pegged stablecoin, Magic Internet Money (MIM), using interest-bearing tokens as collateral. Despite its robust ecosystem, including over $142 million in TVL and extensive audits, the platform recently suffered a major exploit due to a flaw in its gmCauldrons. The attacker manipulated a failed deposit and self-liquidation to create phantom collateral, ultimately stealing 6,260 ETH (over $12.9 million). While no user collateral was affected, the incident highlighted audit oversights and has prompted Abracadabra to pause borrowing, launch an investigation, and offer a 20% bounty. They also pledged to buy back 6.5 million MIM and cover half the losses upfront.<ref name="abracadabrarekt-19327" /><ref name="attacktransactionarbiscan-19328" /><ref name="abracadabramoneyhomepage-19329" /><ref name="thepathforward-19330" /><ref name="mimspelltweet1-19331" /><ref name="hklst4rtweet-19332" /><ref name="ethereumhistory-4651" />

== About Abracadabra Money ==
Abracadabra Money is an omnichain DeFi lending platform that enables users to mint Magic Internet Money (MIM), a USD-pegged stablecoin, by using interest-bearing tokens as collateral. With over $142 million in total value locked and a robust ecosystem that includes borrowing cauldrons, staking, and liquidity pools, Abracadabra offers deep liquidity, cross-chain operability, and strong community governance through its SPELL token. The platform’s design emphasizes decentralization, user empowerment, and seamless cross-chain functionality, making it a key player in the DeFi space.

"Abracadabra.money is a Omnichain DeFi lending platform that works its magic by utilizing interest-bearing tokens as collateral to mint Magic Internet Money (MIM), a USD-Denominated stablecoin.

Abracadabra unlocks the capital of interest bearing assets, allowing users to take on USD-denominated loans while their collateral keeps earning yield. Abracadabra also offers staking strategies, which allows non-yielding assets to start earning yield in a very simple, secure and efficient way."

== The Reality ==
Guardian Audits was the firm which audited the smart contract. "The exploit waltzed through their review while they were busy catching other bugs in the same codebase - they spotted multiple issues but completely missed how a failed deposit and self-liquidation could create a phantom collateral position that remained borrowable."

== What Happened ==
Abracadabra Money’s gmCauldrons were exploited despite prior audits and security measures, leading to a loss of funds, though no user collateral was affected.
{| class="wikitable"
|+Key Event Timeline - Abracadabra Money Deposit Fail Self-Liquidate Vulnerability
!Date
!Event
!Description
|-
|March 25th, 2025 2:34:13 AM MDT
|Arbitrum Exploit Transaction
|An exploit transaction on arbitrum.
|-
|March 25th, 2025 8:07:00 AM MDT
|Awareness Of Exploit Tweet
|Abracadabra Money tweeted about an exploit in their gmCauldrons, which was detected after several transactions. Despite thorough audits and security measures, the attack only triggered alerts later. No user collateral was affected, and the exploit is contained within the gmCauldrons. The team is working with @chainalysis and other security partners to track the stolen funds and is offering a 20% bug bounty to the attacker. A full post-mortem will be provided soon.
|-
|March 26th, 2025 2:51:15 AM MDT
|The Path Forward Published
|In response to a recent exploit of its gmCauldrons suite resulting in a $13 million loss of MIM, Abracadabra Money outlines its recovery strategy and future plans in an article entitled "The Path Forward". Despite the breach, no user funds were lost and the broader protocol remains intact. The DAO treasury, holding approximately $19 million, has already covered 50% of the loss and plans to absorb the remainder in the coming months. Looking ahead, the DAO will focus on four key initiatives: a robust remediation plan, expansions into Berachain and Nibiru, and the launch of Purrswap—a stableswap incubated by the DAO. Enhanced security partnerships and the introduction of Omnichain SPELL are also part of efforts to strengthen the ecosystem. Abracadabra emphasizes transparency, integrity, and community trust as it navigates recovery and growth.
|}

== Technical Details ==
"The Setup: Deposit into GMX, but make it fail. The tokens don’t return to the attacker. Instead, they get stuck in the OrderAgent contract, waiting to be claimed.

The Misdirection: Borrow funds and push the position into liquidation. Everyone focuses on the liquidation, but the real trick is already in motion.

The Switch: Self-liquidate. The contract wipes the position but forgets to scrub the order. The collateral? Still hanging around like an unpaid bar tab.

The Reveal: Borrow against a ghost. The system, blissfully unaware, still sees the liquidated position as good collateral. 6,260 ETH exits stage left—while everyone’s eyes are on the wrong trick."

== Total Amount Lost ==
6,260 ETH x $2,067.76 = $12944177.6

The total amount lost has been estimated at $12,944,000 USD.

== Immediate Reactions ==
Abracadabra Money tweeted that they are aware of an exploit affecting their gmCauldrons and have launched an in-depth investigation with core contributors and security engineers. Despite having undergone full audits by @GuardianAudits and being integrated with advanced monitoring tools like @zeroshadow_io and @hexagate_, the exploit was only detected after several malicious transactions. Borrowing was immediately disabled across all cauldrons once alerted. Importantly, no user collateral was impacted, and the issue is isolated to the gmCauldrons. The team is collaborating with @GMX_IO, @chainalysis, and other partners to assess the damage and trace the stolen funds, currently consolidated at a known wallet address. Abracadabra is also open to negotiating a 20% bug bounty with the attacker and will release a full post-mortem soon.

"Abracadabra rushed out their "Path Forward" document the day after the exploit, promising to buy back 6.5 million MIM and cover half the damage upfront."

== Ultimate Outcome ==
"The stolen funds (6,260 ETH in total) were bridged from Arbitrum to Ethereum"

"Abracadabra paused all borrowing and trotted out a 20% bounty offer, but the attacker had already split town with their 6,260 ETH."

"Guardian Audits skipped the usual blame-shifting dance and owned their miss when Rekt News came knocking." "Their response? Double the security squad and slap on invariant testing - a rare sign that at least one audit shop cares more about actual security than collecting protocol badges."

== Total Amount Recovered ==
There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="abracadabrarekt-19327">[https://rekt.news/abracadabra-rekt2 Abracadabra - Rekt II] (Accessed Apr 16, 2025)</ref>

<ref name="attacktransactionarbiscan-19328">[https://arbiscan.io/tx/0xed17089aa6c57b7d5461209e853bdb56bc3460a91805e20d2590609a515ef0b0 Malicious Attack Transaction - Arbiscan] (Accessed Apr 16, 2025)</ref>

<ref name="abracadabramoneyhomepage-19329">[https://abracadabra.money/ Abracadabra Money Homepage] (Accessed Apr 16, 2025)</ref>

<ref name="thepathforward-19330">[https://mirror.xyz/0x5744b051845B62D6f5B6Db095cc428bCbBBAc6F9/25X2JijzhkFK6oCC5oARNuVew5pyGZ1hGbMQ4Qu4kxQ Abracadabra Money - The Path Forward] (Accessed Apr 16, 2025)</ref>

<ref name="mimspelltweet1-19331">[https://twitter.com/MIM_Spell/status/1904535586532180434 Abracadabra Money - "The Zeroshadow team alerted us and we quickly turned off all borrows to all cauldrons... To the hacker, we are happy to entertain negotiations for a bug bounty of 20% of the total." - Twitter/X] (Accessed Apr 17, 2025)</ref>

<ref name="hklst4rtweet-19332">[https://twitter.com/hklst4r/status/1904541046643495240 hklst4r - "The CauldronV4 contract allows user to perform multiple actions while the solvency check is at the end of all actions. (P1)" - Twitter/X] (Accessed Apr 17, 2025)</ref>

<ref name="ethereumhistory-4651">[https://coinmarketcap.com/currencies/ethereum/historical-data/ https://coinmarketcap.com/currencies/ethereum/historical-data/] (Accessed Dec 21, 2021)</ref></references>

Abracadabra Money Deposit Fail Self-Liquidate Vulnerability - Revision history