Abracadabra’s third breach in two years turns “Magic Internet Money” into a disappearing act: an attacker slipped past a solvency check flaw to drain $1.8M MIM, pushing cumulative losses beyond $21M.
DeFi lending protocol Abracadabra has fallen victim to another exploit, losing approximately $1.8 million in MIM tokens in a sophisticated attack that leveraged a flaw in its “cook” function. The breach marks the third major hack linked to Abracadabra this year, deepening concerns about the platform’s contract security.
Earlier in May, the protocol repurchased 6.5 million MIM, covering about half of the $13 million lost in the March exploit. The team confirmed user funds were unaffected and said it allocated part of its $19 million treasury to buy back MIM and stabilize its supply.
Notably, blockchain data shows that the attacker exploited the same flaw across six different wallet addresses. By calling the “cook” function with the specific action sequence, the attacker borrowed 1,793,755 MIM tokens and later swapped them for other assets, netting roughly $1.7 to $1.8 million in total gains.
Security analysts confirmed that the exploit was not due to a reentrancy bug or a typical flash loan vulnerability but stemmed entirely from a logical error in the code. The affected transaction and associated wallets have been flagged by monitoring platforms.
Abracadabra’s development team noted that the DAO has identified and mitigated the exploit, and no other funds/users are at risk.
Early suggestions from security experts include implementing isolated state checks for each action and adding mandatory solvency validations after all borrowing operations.
According to blockchain security firm BlockSec, the attack targeted Abracadabra’s “cook” function. This feature is designed to let users execute multiple predefined operations in a single transaction. While this design aims to improve efficiency, it also created a dangerous vulnerability due to shared status tracking within the function.
Each action performed under the “cook” function shares a single status variable. When a borrowing operation (action = 5) occurs, the system sets a flag indicating that a solvency check is required at the end of the transaction.
However, when another action (action = 0) follows, it calls an internal helper function named “additionalCookAction.” This helper function is effectively empty and resets the solvency flag to false, overriding the previous setting.
This oversight allowed attackers to combine the two actions, to borrow assets while bypassing insolvency verification. As a result, the final solvency check was never executed, letting the attacker drain protocol funds.
Analysts warn that as DeFi platforms continue to prioritize flexibility and composability, attackers are becoming increasingly adept at identifying overlooked dependencies within complex smart contract logic. Strengthening testing frameworks, improving code reviews, and implementing continuous monitoring are now seen as essential steps to protect protocols and user funds.
