Hacker rewarded 20% bounty by Abracadabra following $13M data breach

Abracadabra Finance has verified a security breach impacting its gmCauldron smart contracts, leading to the theft of roughly $13 million, and is now working on recovering the funds.

Following the incident, the protocol has suspended borrowing across all cauldrons and is collaborating with blockchain security firms to trace the stolen funds, as per a company announcement.

PeckShield, a blockchain security firm, initially identified the attack, which targeted the integration between the GMX decentralized exchange and Abracadabra's lending contracts.

"The extent of the damage caused by the attack is currently being evaluated. We are cooperating with Guardian Audits, GMX, and other security professionals to determine the execution of the hack," the company stated.

Abracadabra mentioned that their gmCauldrons underwent audits by Guardian Audits prior to deployment and were incorporated into various security monitoring systems, including Zeroshadow tracking and Hexagate response software. Nevertheless, the breach was only discovered after the attacker carried out numerous transactions.

The Zeroshadow team eventually informed Abracadabra, which led to the immediate halt of all borrowing functions.

.@GMX\_IO @MIM\_Spell related contracts have been hacked for ~6,260 ETH (worth ~$13M)

Chainalysis, a blockchain analytics firm, has been brought in to monitor the stolen assets, which have been transferred from Arbitrum (ARB) to Ethereum (ETH) and consolidated into a minimum of three addresses.

Abracadabra is offering the attacker a 20% bug bounty in exchange for returning the remaining funds, stating:

"To the hacker, we are open to discussions for a bug bounty of 20% of the total. Reach out at [email protected] or on-chain to our treasury address on ETH 0xDF2C270f610Dc35d8fFDA5B453E74db5471E126B."

The company has promised to release a comprehensive post-mortem of the recent exploit once the investigation is finished.