- Abracadabra.Money lost $13M in ETH after an exploit targeting its GMX-linked lending pools.
- GMX denied responsibility, saying its smart contracts were unaffected by the hack.
- Hackers used Tornado Cash and bridged the stolen funds from Arbitrum to Ethereum.
Another day, another DeFi protocol exploited. This time it’s Abracadabra.Money, and the damage? Roughly $13 million worth of crypto—gone.
On March 25, cybersecurity firm PeckShield posted on X (yep, still calling it that), confirming that smart contracts tied to GMX tokens and Abracadabra.Money were hit, resulting in the loss of around 6,260 ETH, which at the time of the hack was worth about $13 million. Brutal.
And the kicker? This isn’t even the first time Abracadabra’s been drained. Back in January, they got clipped for another $6.49 million, and that breach knocked their Magic Internet Money (MIM) stablecoin off its peg to the U.S. dollar.
GMX Says: “Not Us”
Despite what some early tweets implied, GMX insists their own contracts weren’t the issue. A pseudonymous GMX rep chimed in on X, saying “GMX contracts are not affected”, and pointed the finger instead at how MIM integrates with GMX v2 pools.
To break it down: MIM uses these things called cauldrons—essentially lending pools tied to specific assets. In this case, they were built around GM tokens, which are key to GMX’s whole platform. They help generate fees from swaps and leveraged trading.
GMX made it pretty clear in an official post: the exploit hit Abracadabra’s Spell cauldrons, not GMX itself. So, technically speaking, their code held up… at least this time.
Follow the (Stolen) Money
According to crypto forensics firm AMLBot, the attacker funneled money in through Tornado Cash—a decentralized crypto mixer known for helping hide fund origins (and also being sanctioned, by the way). From there, they used those coins to cover gas fees for the actual exploit transactions.
Once they snagged the ETH, they moved it off Arbitrum and bridged it straight to Ethereum mainnet, probably to cash out or scatter it even further.
“The stolen funds, totaling 6,260 ETH, have been transferred from Arbitrum to Ethereum via a bridge,” AMLBot confirmed.
They also added that GMX contracts weren’t touched. Only Abracadabra’s were compromised, which—if nothing else—helps clear up some of the initial confusion floating around.
So, What’s Next?
As of now, neither GMX nor Abracadabra.Money has issued any follow-up or replied to press inquiries, at least not by the time of writing. Community reaction has ranged from frustration to straight-up disbelief that this keeps happening, especially to protocols that are supposed to be tested and secure.
With DeFi still being the Wild West of crypto, stuff like this doesn’t come as a huge shock anymore—but it’s definitely not helping anyone sleep better at night.
