Abracadabra Money Deposit Fail Self-Liquidate Vulnerability

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 16:20, 22 April 2025 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/abracadabramoneydepositfailselfliquidatevulnerability.php}} {{Unattributed Sources}} thumb|Abracadabra Money Logo/HomepageAbracadabra Money is a cross-chain DeFi lending platform that allows users to mint a USD-pegged stablecoin, Magic Internet Money (MIM), using interest-bearing tokens as collateral. Despite its robust ecosystem, including over $142 millio...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Abracadabra Money Logo/Homepage

Abracadabra Money is a cross-chain DeFi lending platform that allows users to mint a USD-pegged stablecoin, Magic Internet Money (MIM), using interest-bearing tokens as collateral. Despite its robust ecosystem, including over $142 million in TVL and extensive audits, the platform recently suffered a major exploit due to a flaw in its gmCauldrons. The attacker manipulated a failed deposit and self-liquidation to create phantom collateral, ultimately stealing 6,260 ETH (over $12.9 million). While no user collateral was affected, the incident highlighted audit oversights and has prompted Abracadabra to pause borrowing, launch an investigation, and offer a 20% bounty. They also pledged to buy back 6.5 million MIM and cover half the losses upfront.[1][2][3][4][5][6][7]

About Abracadabra Money

Abracadabra Money is an omnichain DeFi lending platform that enables users to mint Magic Internet Money (MIM), a USD-pegged stablecoin, by using interest-bearing tokens as collateral. With over $142 million in total value locked and a robust ecosystem that includes borrowing cauldrons, staking, and liquidity pools, Abracadabra offers deep liquidity, cross-chain operability, and strong community governance through its SPELL token. The platform’s design emphasizes decentralization, user empowerment, and seamless cross-chain functionality, making it a key player in the DeFi space.

"Abracadabra.money is a Omnichain DeFi lending platform that works its magic by utilizing interest-bearing tokens as collateral to mint Magic Internet Money (MIM), a USD-Denominated stablecoin.

Abracadabra unlocks the capital of interest bearing assets, allowing users to take on USD-denominated loans while their collateral keeps earning yield. Abracadabra also offers staking strategies, which allows non-yielding assets to start earning yield in a very simple, secure and efficient way."

The Reality

Guardian Audits was the firm which audited the smart contract. "The exploit waltzed through their review while they were busy catching other bugs in the same codebase - they spotted multiple issues but completely missed how a failed deposit and self-liquidation could create a phantom collateral position that remained borrowable."

What Happened

Abracadabra Money’s gmCauldrons were exploited despite prior audits and security measures, leading to a loss of funds, though no user collateral was affected.

Key Event Timeline - Abracadabra Money Deposit Fail Self-Liquidate Vulnerability
Date Event Description
March 25th, 2025 2:34:13 AM MDT Arbitrum Exploit Transaction An exploit transaction on arbitrum.
March 25th, 2025 8:07:00 AM MDT Awareness Of Exploit Tweet Abracadabra Money tweeted about an exploit in their gmCauldrons, which was detected after several transactions. Despite thorough audits and security measures, the attack only triggered alerts later. No user collateral was affected, and the exploit is contained within the gmCauldrons. The team is working with @chainalysis and other security partners to track the stolen funds and is offering a 20% bug bounty to the attacker. A full post-mortem will be provided soon.
March 26th, 2025 2:51:15 AM MDT The Path Forward Published In response to a recent exploit of its gmCauldrons suite resulting in a $13 million loss of MIM, Abracadabra Money outlines its recovery strategy and future plans in an article entitled "The Path Forward". Despite the breach, no user funds were lost and the broader protocol remains intact. The DAO treasury, holding approximately $19 million, has already covered 50% of the loss and plans to absorb the remainder in the coming months. Looking ahead, the DAO will focus on four key initiatives: a robust remediation plan, expansions into Berachain and Nibiru, and the launch of Purrswap—a stableswap incubated by the DAO. Enhanced security partnerships and the introduction of Omnichain SPELL are also part of efforts to strengthen the ecosystem. Abracadabra emphasizes transparency, integrity, and community trust as it navigates recovery and growth.

Technical Details

"The Setup: Deposit into GMX, but make it fail. The tokens don’t return to the attacker. Instead, they get stuck in the OrderAgent contract, waiting to be claimed.

The Misdirection: Borrow funds and push the position into liquidation. Everyone focuses on the liquidation, but the real trick is already in motion.

The Switch: Self-liquidate. The contract wipes the position but forgets to scrub the order. The collateral? Still hanging around like an unpaid bar tab.

The Reveal: Borrow against a ghost. The system, blissfully unaware, still sees the liquidated position as good collateral. 6,260 ETH exits stage left—while everyone’s eyes are on the wrong trick."

Total Amount Lost

6,260 ETH x $2,067.76 = $12944177.6

The total amount lost has been estimated at $12,944,000 USD.

Immediate Reactions

Abracadabra Money tweeted that they are aware of an exploit affecting their gmCauldrons and have launched an in-depth investigation with core contributors and security engineers. Despite having undergone full audits by @GuardianAudits and being integrated with advanced monitoring tools like @zeroshadow_io and @hexagate_, the exploit was only detected after several malicious transactions. Borrowing was immediately disabled across all cauldrons once alerted. Importantly, no user collateral was impacted, and the issue is isolated to the gmCauldrons. The team is collaborating with @GMX_IO, @chainalysis, and other partners to assess the damage and trace the stolen funds, currently consolidated at a known wallet address. Abracadabra is also open to negotiating a 20% bug bounty with the attacker and will release a full post-mortem soon.

"Abracadabra rushed out their "Path Forward" document the day after the exploit, promising to buy back 6.5 million MIM and cover half the damage upfront."

Ultimate Outcome

"The stolen funds (6,260 ETH in total) were bridged from Arbitrum to Ethereum"

"Abracadabra paused all borrowing and trotted out a 20% bounty offer, but the attacker had already split town with their 6,260 ETH."

"Guardian Audits skipped the usual blame-shifting dance and owned their miss when Rekt News came knocking." "Their response? Double the security squad and slap on invariant testing - a rare sign that at least one audit shop cares more about actual security than collecting protocol badges."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Abracadabra - Rekt II (Accessed Apr 16, 2025)
  2. Malicious Attack Transaction - Arbiscan (Accessed Apr 16, 2025)
  3. Abracadabra Money Homepage (Accessed Apr 16, 2025)
  4. Abracadabra Money - The Path Forward (Accessed Apr 16, 2025)
  5. Abracadabra Money - "The Zeroshadow team alerted us and we quickly turned off all borrows to all cauldrons... To the hacker, we are happy to entertain negotiations for a bug bounty of 20% of the total." - Twitter/X (Accessed Apr 17, 2025)
  6. hklst4r - "The CauldronV4 contract allows user to perform multiple actions while the solvency check is at the end of all actions. (P1)" - Twitter/X (Accessed Apr 17, 2025)
  7. https://coinmarketcap.com/currencies/ethereum/historical-data/ (Accessed Dec 21, 2021)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Abracadabra_Money_Deposit_Fail_Self-Liquidate_Vulnerability&oldid=6681"