About $13 million worth of cryptocurrency has been drained from decentralized lending protocol Abracadabra.Money following an exploit targeting pools using GMX tokens.

In a March 25 X post, crypto cybersecurity firm PeckShield reported that contracts related to GMX and Abracadabra.Money had been compromised, resulting in the loss of about 6,260 Ether (ETH), worth around $13 million.

The news follows Abracadabra.Money losing $6.49 million after its smart contracts were compromised in late January 2024. At the time, this also led to the protocol’s Magic Internet Money (MIM) stablecoin losing its peg to the US dollar.

Related: Pump.fun’s new DEX reaches $1B volume a week after launch

GMX denies contract vulnerability

Despite initial reports, a pseudonymous GMX communications contributor claimed on X that “GMX contracts are not affected.” According to the user, GMX is involved because MIM’s pools are based on GMX v2 pools.

GMX Market (GM) tokens are a core part of the GMX platform, earning fees from swaps and leveraged trading. MIM’s pools, known as cauldrons, are the protocol’s core product and provide isolated lending exposure.

Related: DeFi lender Nostra pauses borrowing after price feed error

In an official X post, GMX stated that the hack involved MIM’s pools that used GM tokens. The post further claimed that “no issues have been identified with GMX contracts,” adding:

“We believe the issue relates solely to the Abracadabra/Spell cauldrons. These cauldrons allow for borrowing against specific GM liquidity tokens.”

GMX and Abracadabra.Money had not responded to Cointelegraph’s inquiry by the time of publication.

Hackers use Tornado Cash, bridge to Ethereum

Graphic tracking the hacked funds. Source: AMLBot

Crypto forensics firm AMLBot provided Cointelegraph with a partial reconstruction of how the hack was performed. The hacker’s address was first funded through the Tornado Cash decentralized cryptocurrency mixer, and then those funds were used to pay the transaction fees of the malicious transactions. The stolen ETH was later moved from the Arbitrum network to Ethereum via a blockchain bridge:

“The stolen funds, totaling 6,260 ETH, have been transferred from Arbitrum to Ethereum via a bridge.”

AMLBot’s investigations department also confirmed to Cointelegraph that only Abracadabra.Money contracts were breached as part of the hack. The GMX smart contracts, on the other hand, were not exploited in the malicious transactions, AMLBot added.

Magazine: What are native rollups? Full guide to Ethereum’s latest innovation