Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 226Smart Contract Bug

Abracadabra GMX Cauldron Self-Liquidation

Attacker drained $13M (6,260 ETH) from Abracadabra's GM Cauldrons by engineering a failing GMX deposit, self-liquidating, then reborrowing the collateral.

Date
Victim
Abracadabra Money
Chain(s)
Arbitrum
Status
Funds Stolen

On March 25, 2025, Abracadabra Money suffered its second major exploit in 14 months. The attacker drained 6,260 ETH (~$13 million) from Cauldrons tied to GMX's GM liquidity tokens. The exploit chained together a failing-but-not-reverting GMX deposit, a deliberate self-liquidation, and a subsequent borrow against the orphaned collateral — completing the multi-stage attack in approximately 1 hour 40 minutes.

What happened

The affected Cauldrons accepted GM tokens (GMX's liquidity-provider tokens for various GMX markets) as collateral. The Cauldron's deposit logic routed through an OrderAgent contract that coordinated the multi-step interaction with GMX's deposit machinery.

The attacker discovered a sequence of operations that exploited the gap between GMX's deposit failure handling and Abracadabra's accounting:

  1. Initiated a GMX deposit through Abracadabra's OrderAgent with parameters designed to make the GMX-side deposit fail at execution but not revert at the Abracadabra level — leaving the deposited funds stranded in the OrderAgent contract, not credited to anyone.
  2. Borrowed against the deposited position — Abracadabra's Cauldron recorded the debt as the attacker's obligation.
  3. Pushed the position into liquidation by triggering price movements or accumulating interest until it crossed the liquidation threshold.
  4. Self-liquidated — wiping the debt from the protocol's accounting while keeping the collateral in the OrderAgent.
  5. Took a new loan using the orphaned collateral still sitting in the OrderAgent — collateral that the protocol had no record of as backing any obligation, but that the new loan now drew against.
  6. Extracted the new loan's proceeds without ever needing to repay the original debt or release the collateral.

Net theft: ~$13M in ETH-equivalent assets.

Aftermath

  • Abracadabra halted borrowing across all GM Cauldrons by 09:46 UTC — approximately 100 minutes after the first malicious transaction.
  • The team offered the attacker a 20% bug bounty and a path to white-hat resolution; the attacker did not respond.
  • GMX publicly defended its own contracts — emphasising that the exploit was in Abracadabra's integration logic, not in GMX's GM token mechanics or liquidity pool functions.
  • Funds were laundered through Tornado Cash.

Why it matters

The Abracadabra March 2025 incident is a striking case for how integration logic with external protocols inherits the failure modes of both sides of the integration. The exploit was not in:

  • GMX's contracts (which were working as designed — depositing assets to a position that hadn't yet been opened or that the GM oracle priced unfavourably is a legitimate state for the GMX system).
  • Abracadabra's core Cauldron logic (which correctly recorded debts and processed liquidations).

It was in the OrderAgent that bridged the two — specifically, in how the OrderAgent handled the case where GMX's deposit operation partially completed without producing the expected position. The agent left the collateral stranded, the Cauldron accounting moved on without it, and the gap was the entire exploit.

The structural lessons for DeFi integrations:

  1. External-protocol failure modes must be enumerated and handled explicitly — "what happens if the call partially succeeds" is a distinct question from "what happens if it reverts" or "what happens if it succeeds."
  2. State synchronisation between accounting systems (Cauldron debt records, OrderAgent custody, GMX position state) must be invariant-checked after every operation, not assumed.
  3. The 1h40m response time was respectable but not fast enough — the attacker had executed the multi-stage drain across multiple Cauldrons before defensive action could pause the affected markets.

Combined with the January 2024 Abracadabra incident and the October 2025 third exploit, the protocol's track record of three major exploits in approximately two years continues to support the general DeFi-security observation that post-incident remediation focused on the specific bug rather than systemic causes tends to produce repeat exploits.

Sources & on-chain evidence

  1. [01]coindesk.comhttps://www.coindesk.com/business/2025/03/25/abracadabra-drained-of-usd13m-in-exploit-targeting-cauldrons-tied-to-gmx-liquidity-tokens
  2. [02]threesigma.xyzhttps://threesigma.xyz/blog/exploit/abracadabra-gmx-defi-exploit-explained
  3. [03]halborn.comhttps://www.halborn.com/blog/post/explained-the-abracadabra-money-hack-march-2025

Related filings