It’s the third hack of the platform’s contracts in 2 years, with total losses exceeding US$21 million.
A security flaw on the Abracadabra DeFi lending platform allowed a hacker to steal around US$1.8 million (AU$2.7m) worth of the protocol’s stablecoin, Magic Internet Money (MIM), on Saturday.
Abracadabra said no user funds were lost, and it had fixed the vulnerability, and mitigated the “relatively small impact” of the attack by using treasury funds to buy back MIM from the market.
The attack exploited a logic error in the platform’s ‘cook’ function, which meant the hacker was able to bypass the built-in solvency check designed to limit how much a person can borrow, according to analysis from security firm BlockSec Phalcon.
The ‘cook’ function was called on six different addresses, enabling the hacker to bag approximately 1.79 MIM, valued at around US$1 each. According to BLIn Analytics, the hacker converted the MIM to ETH and used Tornado Cash to cover their tracks.
It has raised questions about the platform’s security, given it’s the third attack the platform has suffered in two years. Previous smart contract exploits resulted in losses of US$6.4m (AU$9.6m) in January 2024, and US$13m (AU$19.6m) in March 2025.
Cauldron Feature Disabled, Security in Question
The DeFi platform temporarily disabled its ‘cauldron’ feature — the lending markets it offers users to earn yield on collateralised tokens used to borrow MIM. The vulnerability affected V4 depreciated cauldrons on the Ethereum mainnet.
“Despite the relatively small impact of such [an] incident, cauldron borrowing is currently disabled as we review the current codebase for the future upcoming deployments,” the platform said.
Crypto security service Three Sigma said the smart contracts under the hood of the platform “allow Abracadabra to create multiple isolated lending markets, each with customized parameters, while ensuring the MIM stablecoin remains backed by collateral at all times.”
Three Sigma said a recorded audit of Abracadabra’s cauldron architecture in 2023 by Guardian Audits uncovered multiple, significant issues that indicated “the codebase required further refinement.” But it was the only audit conducted before the contracts were deployed and no follow-up audits were performed after changes were made — a mistake, the firm said.
Read more on Crypto News Australia
