Back

Abracadabra Suffers Third DeFi Exploit As Hackers Drain $1.7 million

05 October 2025 15:00 UTC
Trusted
  • Abracadabra, a leading DeFi lending platform, has suffered its third major exploit in two years, losing about $1.7 million.
  • Security experts said the malicious attacker manipulated a smart contract flaw to bypass solvency checks and drain funds.
  • Meanwhile, the project's team has paused all contracts and plans to use DAO reserves to repurchase the stolen MIM tokens.
Promo

DeFi project Abracadabra has suffered a fresh exploit that drained about $1.7 million from its platform.

Blockchain security firm Go Security flagged the breach on October 4 and confirmed that attackers had already laundered about 51 ETH through Tornado Cash. At the time of reporting, the attacker’s wallet (identified as 0x1AaaDe) still held around 344 ETH, worth approximately $1.55 million.

Sponsored
Sponsored

How Abracadabra Was Exploited for the Third Time

Security researcher Weilin Li verified the exploit and explained that the attacker manipulated Abracadabra’s smart contract variables to bypass a solvency check.

This allowed them to borrow assets beyond the intended limit, prompting Abracadabra’s team to pause all contracts to prevent further losses.

Another blockchain audit firm, Phalcon, traced the root cause to a faulty logic sequence in the platform’s cook function. This is a mechanism that lets users execute several predefined actions in one transaction.

According to the firm, the attacker carried out two operations that overrode key safeguards.

Sponsored
Sponsored

The first, known as action 5, initiated a borrowing process that was supposed to pass solvency checks. The second, called action 0, acted as an empty update function that rewrote the check flag and skipped the final validation step.

The attacker drained more than 1.79 million MIM tokens by repeating this pattern across six different addresses.

As of press time, Abracadabra has yet to comment publicly on the incident. Notably, the project’s official X account has remained silent since early September.

However, Go Security reported that the Abracadabra team confirmed on Discord that it would use DAO reserve funds to repurchase the affected MIM supply.

Meanwhile, if verified, the latest incident would mark the third exploit against Abracadabra in under two years.

In January 2024, the platform lost $6.49 million in a hack that briefly depegged the MIM stablecoin from the US dollar. A second exploit in March 2025 drained another $13 million from its cauldron contracts, after which the team offered the hacker a 20% bounty.

The recurrence of such breaches raises renewed questions about the security of the DeFi protocol and the sustainability of its cross-chain lending architectures.

Disclaimer

In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and Conditions, Privacy Policy, and Disclaimers have been updated.