Magic Internet Money Incident Analysis

A smart‑contract vulnerability in the integration between GmxV2CauldronV4 and RouterOrder was exploited on 25 March 2025, allowing an attacker to liquidate a position, avoid clearing RouterOrder.collateral state (inputAmount), and repeatedly borrow additional MIM without repaying, resulting in a drain of ~6,261.13 ETH (~$12.9M). The report includes detailed transaction links, attacker and contract addresses, stepwise attack actions, the root cause (sendValueInCollateral not clearing RouterOrder.inputAmount), and the subsequent fund flow including bridging via Stargate and distribution to multiple wallets.