Abracadabra Money: Logic bug — phantom collateral / post-liquidation state inconsistency

Summary #

Abracadabra Money suffered a CDP / Lending (Cauldron-style isolated markets) on 2025-03-25, resulting in a loss of approximately $13M.

What happened #

Abracadabra lost $13M when attackers discovered that self-liquidating a position didn't cancel a pending GMX order, letting them borrow against collateral the protocol had already wiped.

Linked factors #

• RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Y — gmCauldron integration with GMX was a relatively new module] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Y — gmCauldron integration with GMX was a relatively new module]
• RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown / not mentioned in report]
• RD-F-050 — causal : Dependency graph [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
• RD-F-052 — related : Breakage analysis [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
• RD-F-077 — causal : Prior exploit count [via cross-hack: Factor 5: Second Exploit on Same Protocol]
• RD-F-078 — causal : Chronic flag (≥3 prior exploits) [via cross-hack: Factor 5: Second Exploit on Same Protocol]
• RD-F-079 — causal : Same-root-cause repeat exploit [via cross-hack: Factor 5: Second Exploit on Same Protocol]
• RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Y — gmCauldron integration with GMX was a relatively new module]