Abracadabra (Spell / MIM) Hack - March 25, 2025
Overview
A significant exploit affected Abracadabra/Spell's cauldrons that leveraged GMX V2's GM (liquidity) pools, resulting in a ~$13 million loss. The attack involved multiple suspicious transactions on the Arbitrum network and resulted in the theft of approximately 6,260 ETH.
Technical Root Cause
The exploit targeted Abracadabra's
gmCauldron smart contracts — cauldrons that accept GMX V2 GM (liquidity provider) tokens as collateral against MIM borrowing. The attacker exploited a flaw in the liquidation accounting of these gmCauldrons during a flash-loan-induced state, allowing them to self-liquidate profitably.Attack Vector / Steps
1. Attacker took out a flash loan
2. Used the flash loan to enter a position in Abracadabra's gmCauldron, manipulating the position state
3. Triggered a liquidation of their own position while in the flash-loan state
4. Profited from liquidation incentives / accounting flaw — the cauldron returned more value during liquidation than the attacker had deposited
5. Repeated and/or scaled the attack across the gmCauldron contracts
6. Converted proceeds to ETH (~6,260 ETH ≈ $13M)
7. Repaid flash loan and walked away with profit
Financial Impact
• ~$13 million stolen (~6,260 ETH on Arbitrum)
• Affected only the gmCauldron variants tied to GMX V2 GM tokens
Response
• Abracadabra confirmed the exploit on March 25, 2025
• Noted that the exploited gmCauldron smart contracts had passed audits conducted by Guardian Audits
• Offered the attacker a 20% bug bounty in exchange for return of the funds
• GMX denied that its smart contracts were affected, noting the issue was confined to Abracadabra's cauldrons (i.e. GMX's GM pool contracts themselves were not vulnerable)
Context
This was at least the third major exploit affecting Abracadabra:
• January 2024: ~$6.4 million breach
• October 2025: a separate ~$1.7-1.8M MIM Spell incident
• March 2025: this gmCauldron / GMX-related $13M incident
Sources