Decentralised finance (DeFi) project Abracadabra has suffered a new exploit that drained around $1.7 million from its platform, marking the third major security incident for the protocol in less than two years.
The breach, reported by blockchain security firm Go Security on 4 October, raised renewed questions about the security of the DeFi protocol and the sustainability of its cross-chain lending architectures.
🚨 GoPlus Security Alert: The lending and stablecoin platform Abracadabra ( $SPELL ) appears to have been attacked again, with losses of approximately $1.77 million.
- GoPlus Security 🚦 (@GoPlusSecurity) October 5, 2025
Its official Twitter account @@MIM_Spell has not been updated since September 9.
Attacker Address:... pic.twitter.com/IjECKsOCWX
Details of exploit and attack vector
Go Security confirmed that the attackers had already laundered approximately 51 ETH through Tornado Cash following the breach. At the time of the report, the attacker's wallet, identified as 0x1AaaDe, still held approximately 344 ETH, with an approximate value of $1.55 million.
Security researcher Weilin Li has verified the exploit and explained that the attacker manipulated Abracadabra's smart contract variables to bypass a credit check. This manipulation allowed them to borrow assets beyond their intended limit, prompting the Abracadabra team to pause all contracts to prevent further losses.
Another blockchain audit firm, Phalcon, traced the root cause to a faulty logic sequence in the platform function. This is a mechanism that allows users to perform several predefined actions in a single transaction.
.@MIM_Spell was attacked hours ago, resulting in a loss of ~$1.7M. The root cause stems from the flawed implementation logic of the cook function, which allows users to execute multiple predefined operations in a single transaction. Specifically, the actions share a common... pic.twitter.com/4tQzkRbwcT
- BlockSec Phalcon (@Phalcon_xyz) October 4, 2025
According to the company, the attacker performed two operations that bypassed key safeguards.
The first, known as action 5, initiated a loan process that should have passed solvency checks. The second, called action 0, acted as an empty update function that rewrote the control flag and skipped the final validation step. The attacker drained more than 1.79 million MIM tokens by repeating this pattern across six different addresses.
The Turbulent History of Protocol Security
If verified, this latest incident would follow two earlier, more substantial breaches. In January 2024, the platform lost $6.49 million in a hack that had briefly deprecated the stablecoin MIM from the US dollar.
A second exploit in March 2025 had drained a further $13 million from its cauldron contracts, following which the team offered the hacker a 20% reward.
At press time, Abracadabra has yet to comment publicly on the incident and the project's official X account has remained silent since early September.
However, Go Security reported that the Abracadabra team has confirmed on Discord that it will use reserve funds from the DAO to buy back the affected MIM supply.
