DeFi project Abracadabra has suffered a fresh exploit that drained about $1.7 million from its platform.
Blockchain security firm Go Security flagged the breach on October 4 and confirmed that attackers had already laundered about 51 ETH through Tornado Cash. At the time of reporting, the attacker’s wallet (identified as 0x1AaaDe) still held around 344 ETH, worth approximately $1.55 million.
SponsoredHow Abracadabra Was Exploited for the Third Time
Security researcher Weilin Li verified the exploit and explained that the attacker manipulated Abracadabra’s smart contract variables to bypass a solvency check.
This allowed them to borrow assets beyond the intended limit, prompting Abracadabra’s team to pause all contracts to prevent further losses.
Another blockchain audit firm, Phalcon, traced the root cause to a faulty logic sequence in the platform’s cook function. This is a mechanism that lets users execute several predefined actions in one transaction.
According to the firm, the attacker carried out two operations that overrode key safeguards.
SponsoredThe first, known as action 5, initiated a borrowing process that was supposed to pass solvency checks. The second, called action 0, acted as an empty update function that rewrote the check flag and skipped the final validation step.
The attacker drained more than 1.79 million MIM tokens by repeating this pattern across six different addresses.
As of press time, Abracadabra has yet to comment publicly on the incident. Notably, the project’s official X account has remained silent since early September.
However, Go Security reported that the Abracadabra team confirmed on Discord that it would use DAO reserve funds to repurchase the affected MIM supply.
Meanwhile, if verified, the latest incident would mark the third exploit against Abracadabra in under two years.
In January 2024, the platform lost $6.49 million in a hack that briefly depegged the MIM stablecoin from the US dollar. A second exploit in March 2025 drained another $13 million from its cauldron contracts, after which the team offered the hacker a 20% bounty.
The recurrence of such breaches raises renewed questions about the security of the DeFi protocol and the sustainability of its cross-chain lending architectures.
