Nearly $13 million stolen from Abracadabra Finance in crypto heist

The cryptocurrency platform Abracadabra Finance lost about $13 million worth of digital currency to hackers on Tuesday morning.  

The company did not respond to requests for comment confirming the amount of stolen cryptocurrency but acknowledged the incident in a message on social media. 

The crypto lending platform said the issue was sourced back to a product it calls “cauldrons” — isolated lending markets that allow users to borrow against a variety of cryptocurrencies. 

“Core contributors and security engineers are investigating the issue in depth and will provide more information as soon as available,” the company said, adding that each cauldron had been audited by a security company called Guardian. 

“While having multiple systems in place, the exploit was caught only after the attacker executed several transactions.”

Abracadabra Finance said it is in the process of calculating the damage and is working with Guardian and other companies to examine the incident. The blockchain security company Chainalysis is tracking the stolen funds. 

The company also offered a bug bounty to the hacker of 20% of the stolen funds. Abracadabra Finance’s website was replaced with a message saying the company’s front end is not currently available.

Multiple blockchain security firms said 6,260 Ethereum coins were stolen in the attack, valued at about $12.9 million. Several companies tied the attack to the decentralized exchange GMX — which provides the coins that served as collateral for Abracadabra Finance’s cauldrons. 

GMX representatives released multiple statements on X and Telegram claiming they were not affected. 

“To clarify, no issues have been identified with GMX contracts, and they are not affected by this unfortunate situation,” the company said. 

In many attacks on cryptocurrency platforms, hackers have to first transfer in funds before they can withdraw. At least one of the blockchain security firms, Slow Mist, said the funds used to initially launch the attack were sourced back to Tornado Cash. 

The Treasury Department removed sanctions on Tornado Cash last week after a federal appeals court ruled the agency had exceeded its authority in trying to penalize the company for being used by North Korean hackers seeking to launder funds stolen from cryptocurrency firms.