
On March 25, the DeFi platform Abracadabra Finance suffered a large-scale cyberattack, resulting in the theft of over 6,200 Ethereum tokens. At the current exchange rate, the losses are estimated at approximately $12.9 million.
While the company has yet to confirm the final amount lost, the incident was officially acknowledged on social media. According to their statement, the vulnerability was identified in the “cauldrons” component—segregated lending pools that allow users to borrow against various cryptocurrencies.
Abracadabra Finance reported that the breach is under investigation by specialized engineers and developers and emphasized that each of the pools had undergone audits by independent experts. Despite the implemented security measures, the attack was only detected after the cybercriminal had executed several transactions. The platform is currently assessing the extent of the damage, while blockchain analytics firm Chainalysis has taken charge of tracking the stolen assets.
In an effort to recover part of the funds, the platform has offered the attacker a bounty amounting to 20% of the stolen sum as an incentive for partial restitution. Meanwhile, the official Abracadabra Finance website was temporarily taken offline, displaying a notice of interface unavailability.
Some cybersecurity experts have speculated a link between the incident and the decentralized exchange GMX, as tokens provided by GMX were used as collateral in Abracadabra’s lending system. However, GMX representatives have stated that their smart contracts remain uncompromised and no irregularities have been detected on their end.
An investigation by SlowMist revealed that the initial funds used by the attacker were funneled through the cryptocurrency mixer Tornado Cash. This service had previously been sanctioned by the U.S. Treasury Department due to its use by North Korean hackers for laundering stolen crypto assets. However, a recent ruling by a U.S. Appeals Court overturned the sanctions, deeming the Treasury’s actions unlawful. Experts believe this legal shift may have facilitated the attack by re-enabling Tornado Cash’s use.
The breach at Abracadabra Finance serves as yet another stark reminder of the inherent risks posed by decentralized financial platforms. Even with thorough audits and security mechanisms in place, malicious actors continue to find sophisticated ways to circumvent system defenses.