TLDR
- Abracadabra lost $1.7M after attackers bypassed its solvency check logic.
- Go Security confirmed 51 ETH laundered through Tornado Cash post-hack.
- This is Abracadabra’s third exploit after $6.4M and $13M hacks.
- DAO reserves will be used to repurchase affected MIM tokens.
Decentralized finance project Abracadabra has been hit by another exploit that drained about $1.7 million from its platform. Blockchain security firm Go Security confirmed the breach on October 4, marking the third time in two years that the lending protocol has suffered a security incident.
Exploit Drains $1.7 Million from Abracadabra
Go Security reported that attackers laundered roughly 51 ETH through Tornado Cash after exploiting the protocol. The identified wallet, 0x1AaaDe, still held about 344 ETH, worth around $1.55 million at the time of reporting.
Security researcher Weilin Li confirmed the exploit, noting that the attacker manipulated Abracadabra’s smart contract variables to bypass a solvency check. The flaw enabled them to borrow more assets than allowed, prompting Abracadabra’s team to pause all contracts to prevent further losses.
Flaw in Solvency Check Logic
Blockchain audit firm Phalcon traced the issue to faulty logic in the protocol’s cook function, a system that lets users execute multiple actions within a single transaction. The attacker executed two actions that effectively bypassed safeguards.
Phalcon explained that action 5 initiated a borrowing process requiring solvency validation, while action 0 rewrote the validation flag and skipped the final check. The attacker repeated this sequence across several addresses, draining more than 1.79 million MIM tokens.
Researcher Weilin Li wrote on X, “It seems Abracadabra @MIM_Spell is hacked again. This time a more obvious vulnerability where an ‘else’ branch clears status variables and disables solvency checks.”
Abracadabra’s Response and Previous Breaches
Abracadabra has not yet issued an official public statement, though Go Security reported that the team confirmed the exploit on Discord. The team said it plans to use DAO reserves to repurchase the affected MIM supply and stabilize the protocol’s balance sheet.
If confirmed, this incident marks Abracadabra’s third exploit since early 2024. The project lost $6.49 million in January 2024, causing a temporary depeg of its MIM stablecoin. Another attack in March 2025 drained about $13 million from cauldron contracts tied to GMX, after which the team offered a 20% bounty for fund recovery.
DeFi’s Persistent Security Challenges
The recurrence of attacks on Abracadabra underscores ongoing risks in decentralized finance. Security researchers suggest that repeated breaches may stem from complex cross-chain lending architectures that increase potential attack surfaces.
CertiK data shows that about $307 million was stolen from crypto platforms in Q3 2025, with DeFi protocols ranking second to centralized exchanges. This brings total losses this year to more than $3 billion, despite improvements in auditing and smart contract security practices.
Abracadabra’s latest incident, though smaller in scale, reflects how attackers continue to exploit logical flaws in protocol design. As of early October, the project’s official X account remains silent, leaving users awaiting updates on recovery measures and contract audits.
Stay Ahead of the Market with Benzinga Pro!
Want to trade like a pro? Benzinga Pro gives you the edge you need in today's fast-paced markets. Get real-time news, exclusive insights, and powerful tools trusted by professional traders:
- Breaking market-moving stories before they hit mainstream media
- Live audio squawk for hands-free market updates
- Advanced stock scanner to spot promising trades
- Expert trade ideas and on-demand support
