Prominent blockchain security firm PeckShield reported an exploit involving the GMX decentralized exchange (DEX), which has brought attention to vulnerabilities within the Abracadabra (Spell) ecosystem.

The incident, tied to Abracadabras cauldrons smart contracts that facilitate DeFi operations like lending, borrowing, and liquidity provision led to the theft of approximately 6,260 Ethereum, worth roughly $13 million.

GMX Assures Contracts Remain Secure

While the attack has drawn considerable attention, GMX was quick to clarify that its contracts were not compromised. In fact, the issue was confined to the integration between GMX V2 and Abracadabras cauldrons, which use GMXs liquidity pools for their operations. The team assured the community that it was not affected by the incident and confirmed that no vulnerabilities were found within GMXs own smart contracts.

The team further explained that the Abracadabra team, along with external security researchers, was actively investigating the breach to determine its cause and prevent future incidents. This incident is particularly noteworthy as it highlights the continued security challenges within the broader DeFi ecosystem.

It also follows a previous security breach in January 2024 when Abracadabras Magic Internet Money (MIM) stablecoin was exploited due to a flaw in its smart contract. The exploit led to a loss of $6.49 million.

Flash Loan Attack

Crypto researcher Weilin (William) Li stated that the CauldronV4 contract permits users to perform multiple actions, with the solvency check occurring at the end of the process. In this case, the attacker performed seven actions, five of which involved borrowing the Magic Internet Money (MIM) stablecoin, followed by calling the attack contract and initiating liquidation.

Lis initial analysis suggests that the first action, borrowing MIM, already increased the attackers debt, making the liquidation (action 31) possible. This liquidation, however, was suspiciously executed in a flash loan state where the borrower had no collateral.

He also pointed out that the attacker profited from liquidation incentives and exploited the fact that the solvency check only occurred after all actions were completed, which allowed the attacker to circumvent the systems protections.