Abracadabra.Money, a popular decentralized lending protocol, has been hit by a devastating exploit that drained approximately $13 million in Ethereum. The attack targeted specific "cauldron" lending markets on Abracadabra that used GM tokens—representing liquidity positions in the decentralized exchange GMX—as collateral.

Blockchain security firm PeckShield was first to detect the breach, confirming that attackers siphoned off around 6,260 ETH. These funds were stolen through vulnerabilities in the smart contracts linked to GMX liquidity tokens, though GMX was quick to clarify that its core infrastructure remained untouched. According to the GMX team, the breach was isolated to Abracadabra’s integration of GM tokens and had no impact on GMX’s own smart contracts.

Abracadabra acknowledged the incident in a statement on X (formerly Twitter), emphasizing that the compromised contracts had been audited by Guardian Audits—the same firm that vetted GMX’s own contracts. Despite these precautions, the exploit occurred, raising concerns about the effectiveness of smart contract audits in preventing real-world attacks.

In an effort to recover the stolen funds, Abracadabra has offered the attacker a 20% bug bounty and invited them to negotiate either on-chain or through email. Meanwhile, the team is working closely with GMX, Guardian Audits, and other partners to assess the damage and identify how the exploit was carried out.

Abracadabra stated that no user collateral was affected, and a full post-mortem report will be released following the investigation. This marks the second major incident for the protocol, following a $6.49 million exploit last year that caused its Magic Internet Money (MIM) stablecoin to briefly lose its peg to the U.S. dollar.

The exploit underscores ongoing vulnerabilities in DeFi, even for platforms with audited and monitored contracts.