Abracadabra Hit by Third Exploit in Two Years, Losing $1.7M
The DeFi Abracadabra protocol was hit by its third major exploit since the beginning of 2024, with attackers draining around $1.7 million by circumventing a smart contract credit check.
Decentralised finance (DeFi) project Abracadabra has suffered a new exploit that drained around $1.7 million from its platform, marking the third major security incident for the protocol in less than two years.
The breach, reported by blockchain security firm Go Security on 4 October, raised renewed questions about the security of the DeFi protocol and the sustainability of its cross-chain lending architectures.
🚨 GoPlus Security Alert: The lending and stablecoin platform Abracadabra ( $SPELL ) appears to have been attacked again, with losses of approximately $1.77 million.
Its official Twitter account @@MIM_Spell has not been updated since September 9.
Go Security confirmed that the attackers had already laundered approximately 51 ETH through Tornado Cash following the breach. At the time of the report, the attacker's wallet, identified as 0x1AaaDe, still held approximately 344 ETH, with an approximate value of $1.55 million.
Security researcher Weilin Li has verified the exploit and explained that the attacker manipulated Abracadabra's smart contract variables to bypass a credit check. This manipulation allowed them to borrow assets beyond their intended limit, prompting the Abracadabra team to pause all contracts to prevent further losses.
Another blockchain audit firm, Phalcon, traced the root cause to a faulty logic sequence in the platform function. This is a mechanism that allows users to perform several predefined actions in a single transaction.
.@MIM_Spell was attacked hours ago, resulting in a loss of ~$1.7M. The root cause stems from the flawed implementation logic of the cook function, which allows users to execute multiple predefined operations in a single transaction. Specifically, the actions share a common... pic.twitter.com/4tQzkRbwcT
According to the company, the attacker performed two operations that bypassed key safeguards.
The first, known as action 5, initiated a loan process that should have passed solvency checks. The second, called action 0, acted as an empty update function that rewrote the control flag and skipped the final validation step. The attacker drained more than 1.79 million MIM tokens by repeating this pattern across six different addresses.
The Turbulent History of Protocol Security
If verified, this latest incident would follow two earlier, more substantial breaches. In January 2024, the platform lost $6.49 million in a hack that had briefly deprecated the stablecoin MIM from the US dollar.
A second exploit in March 2025 had drained a further $13 million from its cauldron contracts, following which the team offered the hacker a 20% reward.
At press time, Abracadabra has yet to comment publicly on the incident and the project's official X account has remained silent since early September.
However, Go Security reported that the Abracadabra team has confirmed on Discord that it will use reserve funds from the DAO to buy back the affected MIM supply.
Former CFO Nevin Shetty was convicted of fraud after surreptitiously transferring $35 million of the company's money to his DeFi platform, losing almost all of it in Terra's collapse in 2022. Here is how the scheme happened and what happens now.
Arthur Hayes, former CEO of BitMEX, urged Zcash (ZEC) holders to withdraw their coins from exchanges and move them to shielded addresses, revealing that ZEC is now his second largest position.
Uniswap's price doubles after Hayden Adams proposes to burn 100 million UNI tokens and activate the burning of commissions, turning UNI into a deflationary asset.
The battle over the regulation of decentralised finance could determine whether the US will finally pass the long-awaited cryptocurrency market structure law.
Decentralised finance (DeFi) project Abracadabra has suffered a new exploit that drained around $1.7 million from its platform, marking the third major security incident for the protocol in less than two years.
The breach, reported by blockchain security firm Go Security on 4 October, raised renewed questions about the security of the DeFi protocol and the sustainability of its cross-chain lending architectures.
Details of exploit and attack vector
Go Security confirmed that the attackers had already laundered approximately 51 ETH through Tornado Cash following the breach. At the time of the report, the attacker's wallet, identified as 0x1AaaDe, still held approximately 344 ETH, with an approximate value of $1.55 million.
Security researcher Weilin Li has verified the exploit and explained that the attacker manipulated Abracadabra's smart contract variables to bypass a credit check. This manipulation allowed them to borrow assets beyond their intended limit, prompting the Abracadabra team to pause all contracts to prevent further losses.
Another blockchain audit firm, Phalcon, traced the root cause to a faulty logic sequence in the platform function. This is a mechanism that allows users to perform several predefined actions in a single transaction.
According to the company, the attacker performed two operations that bypassed key safeguards.
The first, known as action 5, initiated a loan process that should have passed solvency checks. The second, called action 0, acted as an empty update function that rewrote the control flag and skipped the final validation step. The attacker drained more than 1.79 million MIM tokens by repeating this pattern across six different addresses.
The Turbulent History of Protocol Security
If verified, this latest incident would follow two earlier, more substantial breaches. In January 2024, the platform lost $6.49 million in a hack that had briefly deprecated the stablecoin MIM from the US dollar.
A second exploit in March 2025 had drained a further $13 million from its cauldron contracts, following which the team offered the hacker a 20% reward.
At press time, Abracadabra has yet to comment publicly on the incident and the project's official X account has remained silent since early September.
However, Go Security reported that the Abracadabra team has confirmed on Discord that it will use reserve funds from the DAO to buy back the affected MIM supply.
Read Next
Ex-CFO sentenced after $35m crypto bet evaporates with Terra's collapse
Former CFO Nevin Shetty was convicted of fraud after surreptitiously transferring $35 million of the company's money to his DeFi platform, losing almost all of it in Terra's collapse in 2022. Here is how the scheme happened and what happens now.
Arthur Hayes Pushes Zcash Towards 'Shield': Halving and Regulatory Risks in Focus
Arthur Hayes, former CEO of BitMEX, urged Zcash (ZEC) holders to withdraw their coins from exchanges and move them to shielded addresses, revealing that ZEC is now his second largest position.
Uniswap Price Jumps After Founder's Proposal to Burn UNI Tokens and Activate Commissions
Uniswap's price doubles after Hayden Adams proposes to burn 100 million UNI tokens and activate the burning of commissions, turning UNI into a deflationary asset.
Cryptocurrency CEOs, Legislators and White House Clash on DeFi Oversight
The battle over the regulation of decentralised finance could determine whether the US will finally pass the long-awaited cryptocurrency market structure law.