Advertisement
Abracadabra Exploit Drains $1.8M in MIM Stablecoin, DAO Says Issue Contained
- Over 1.79 million Magic Internet Money (MIM) tokens, valued at around US$1.8m were hacked on Saturday October 4.
- The hacker exploited a flaw in depreciated smart contracts on the Abracadabra decentralised finance (DeFi) platform.
- It’s the third hack of the platform’s contracts in 2 years, with total losses exceeding US$21 million.
A security flaw on the Abracadabra DeFi lending platform allowed a hacker to steal around US$1.8 million (AU$2.7m) worth of the protocol’s stablecoin, Magic Internet Money (MIM), on Saturday.
Abracadabra said no user funds were lost, and it had fixed the vulnerability, and mitigated the “relatively small impact” of the attack by using treasury funds to buy back MIM from the market.
Shortly after, the DAO Treasury identified and mitigated the vulnerability, confirmed no other cauldrons or users funds were at risk, and bought back from the Market the entirety of affected MIM, completely reversing the effect of the attack.
Abracadabra lending platform
The attack exploited a logic error in the platform’s ‘cook’ function, which meant the hacker was able to bypass the built-in solvency check designed to limit how much a person can borrow, according to analysis from security firm BlockSec Phalcon.
The ‘cook’ function was called on six different addresses, enabling the hacker to bag approximately 1.79 MIM, valued at around US$1 each. According to BLIn Analytics, the hacker converted the MIM to ETH and used Tornado Cash to cover their tracks.
It has raised questions about the platform’s security, given it’s the third attack the platform has suffered in two years. Previous smart contract exploits resulted in losses of US$6.4m (AU$9.6m) in January 2024, and US$13m (AU$19.6m) in March 2025.
Related: SwissBorg Hit by $14M Solana Hack
Cauldron Feature Disabled, Security in Question
The DeFi platform temporarily disabled its ‘cauldron’ feature — the lending markets it offers users to earn yield on collateralised tokens used to borrow MIM. The vulnerability affected V4 depreciated cauldrons on the Ethereum mainnet.
“Despite the relatively small impact of such [an] incident, cauldron borrowing is currently disabled as we review the current codebase for the future upcoming deployments,” the platform said.
Crypto security service Three Sigma said the smart contracts under the hood of the platform “allow Abracadabra to create multiple isolated lending markets, each with customized parameters, while ensuring the MIM stablecoin remains backed by collateral at all times.”
Related: Launch of mXRP to Unlock Dormant XRP With Yields Up to 8%
Advertisement
Three Sigma said a recorded audit of Abracadabra’s cauldron architecture in 2023 by Guardian Audits uncovered multiple, significant issues that indicated “the codebase required further refinement.” But it was the only audit conducted before the contracts were deployed and no follow-up audits were performed after changes were made — a mistake, the firm said.
The exploit that followed was not caused by an audit oversight but rather by the protocol team’s failure to seek deeper validation after integration changes.
Three Sigma security service 
Author
Jody McDonald
Jody is a Brisbane-based freelance writer who specialises in writing about business, technology, and the future of work.
