Abracadabra Hit by Third Exploit in Two Years, Losing $1.7M
  • Home
  • DeFi
  • Abracadabra Hit by Third Exploit in Two Years, Losing $1.7M
By Hamza Ahmed profile image Hamza Ahmed
2 min read

Abracadabra Hit by Third Exploit in Two Years, Losing $1.7M

The DeFi Abracadabra protocol was hit by its third major exploit since the beginning of 2024, with attackers draining around $1.7 million by circumventing a smart contract credit check.

Decentralised finance (DeFi) project Abracadabra has suffered a new exploit that drained around $1.7 million from its platform, marking the third major security incident for the protocol in less than two years.

The breach, reported by blockchain security firm Go Security on 4 October, raised renewed questions about the security of the DeFi protocol and the sustainability of its cross-chain lending architectures.

Details of exploit and attack vector

Go Security confirmed that the attackers had already laundered approximately 51 ETH through Tornado Cash following the breach. At the time of the report, the attacker's wallet, identified as 0x1AaaDe, still held approximately 344 ETH, with an approximate value of $1.55 million.

Security researcher Weilin Li has verified the exploit and explained that the attacker manipulated Abracadabra's smart contract variables to bypass a credit check. This manipulation allowed them to borrow assets beyond their intended limit, prompting the Abracadabra team to pause all contracts to prevent further losses.

Another blockchain audit firm, Phalcon, traced the root cause to a faulty logic sequence in the platform function. This is a mechanism that allows users to perform several predefined actions in a single transaction.

According to the company, the attacker performed two operations that bypassed key safeguards.

The first, known as action 5, initiated a loan process that should have passed solvency checks. The second, called action 0, acted as an empty update function that rewrote the control flag and skipped the final validation step. The attacker drained more than 1.79 million MIM tokens by repeating this pattern across six different addresses.

The Turbulent History of Protocol Security

If verified, this latest incident would follow two earlier, more substantial breaches. In January 2024, the platform lost $6.49 million in a hack that had briefly deprecated the stablecoin MIM from the US dollar.

A second exploit in March 2025 had drained a further $13 million from its cauldron contracts, following which the team offered the hacker a 20% reward.

At press time, Abracadabra has yet to comment publicly on the incident and the project's official X account has remained silent since early September.

However, Go Security reported that the Abracadabra team has confirmed on Discord that it will use reserve funds from the DAO to buy back the affected MIM supply.

By Hamza Ahmed profile image Hamza Ahmed
Updated on
DeFi Hack DAO Stablecoins
Consent Preferences