The DeFi project Abracadabra has experienced another exploit, resulting in approximately $1.7 million being drained from its platform.
On October 4, the blockchain security firm Go Security reported the breach and confirmed that the attackers had laundered about 51 ETH via Tornado Cash. At the time of the report, the attacker’s wallet (identified as 0x1AaaDe) still contained around 344 ETH, worth roughly $1.55 million.
Sponsored
Sponsored
How Abracadabra Was Exploited for the Third Time
Security researcher Weilin Li verified the exploit and explained that the attacker manipulated the variables within Abracadabra’s smart contract to circumvent a solvency check.
This manipulation enabled them to borrow assets beyond the authorized limit, prompting Abracadabra’s team to halt all contracts to avert further losses.
Another blockchain audit firm, Phalcon, traced the issue back to a faulty logic sequence in the platform’s cook function, which allows users to perform numerous predefined actions in a single transaction.
According to the firm, the attacker implemented two actions that circumvented key safety measures.
Sponsored
Sponsored
The first action, termed action 5, commenced a borrowing process that was meant to meet solvency checks. The second, designated as action 0, functioned as an empty update that altered the check flag and bypassed the final validation step.
The attacker siphoned off over 1.79 million MIM tokens by repeating this method across six different addresses.
As of the latest reports, Abracadabra has not yet made a public statement regarding the incident. Notably, the project’s official X account has been inactive since early September.
Nevertheless, Go Security stated that the Abracadabra team confirmed on Discord plans to utilize DAO reserve funds to repurchase the affected MIM tokens.
This latest incident, if confirmed, would be the third exploit against Abracadabra in less than two years.
In January 2024, the platform incurred a loss of $6.49 million due to a hack that temporarily depegged the MIM stablecoin from the US dollar. A second exploit in March 2025 drained an additional $13 million from its cauldron contracts, leading the team to offer the hacker a 20% bounty.
The frequency of such breaches raises renewed concerns regarding the security of the DeFi protocol and the viability of its cross-chain lending architectures.
