Is Abracadabra Cursed? Third Major DeFi Hack This Year Siphons Another $1.8M

DeFi lending protocol Abracadabra has fallen victim to another exploit, losing approximately $1.8 million in MIM tokens in a sophisticated attack that leveraged a flaw in its “cook” ￰4￱ breach marks the third major hack linked to Abracadabra this year, deepening concerns about the platform’s contract ￰5￱ in May, the protocol repurchased 6.5 million MIM, covering about half of the $13 million lost in the March ￰6￱ team confirmed user funds were unaffected and said it allocated part of its $19 million treasury to buy back MIM and stabilize its supply. . @MIM_Spell was attacked hours ago, resulting in a loss of ~$1.7M. The root cause stems from the flawed implementation logic of the cook function, which allows users to execute multiple predefined operations in a single transaction.

Specifically, the actions share a common… ￰7￱ — BlockSec Phalcon (@Phalcon_xyz) October 4, 2025 Notably, blockchain data shows that the attacker exploited the same flaw across six different wallet ￰8￱ calling the “cook” function with the specific action sequence, the attacker borrowed 1,793,755 MIM tokens and later swapped them for other assets, netting roughly $1.7 to $1.8 million in total ￰9￱ analysts confirmed that the exploit was not due to a reentrancy bug or a typical flash loan vulnerability but stemmed entirely from a logical error in the ￰10￱ affected transaction and associated wallets have been flagged by monitoring platforms. Abracadabra’s development team noted that the DAO has identified and mitigated the exploit, and no other funds/users are at ￰11￱ Saturday, a security vulnerability was discovered that affected some V4 deprecated cauldrons on Ethereum ￰12￱ the attack, 1.79m MIM were minted by the ￰13￱ after, the DAO Treasury identified and mitigated the vulnerability, confirmed no other… — (@MIM_Spell) October 6, 2025 Early suggestions from security experts include implementing isolated state checks for each action and adding mandatory solvency validations after all borrowing ￰14￱ Flawed “Cook” Function Was Exploited in Abracadabra Hack According to blockchain security firm BlockSec, the attack targeted Abracadabra’s “cook” ￰15￱ feature is designed to let users execute multiple predefined operations in a single ￰16￱ this design aims to improve efficiency, it also created a dangerous vulnerability due to shared status tracking within the ￰17￱ action performed under the “cook” function shares a single status ￰18￱ a borrowing operation (action = 5) occurs, the system sets a flag indicating that a solvency check is required at the end of the transaction.

However, when another action (action = 0) follows, it calls an internal helper function named “additionalCookAction.” This helper function is effectively empty and resets the solvency flag to false, overriding the previous ￰19￱ oversight allowed attackers to combine the two actions, 5, 0 to borrow assets while bypassing insolvency ￰20￱ a result, the final solvency check was never executed, letting the attacker drain protocol ￰21￱ warn that as DeFi platforms continue to prioritize flexibility and composability, attackers are becoming increasingly adept at identifying overlooked dependencies within complex smart contract ￰22￱ testing frameworks, improving code reviews, and implementing continuous monitoring are now seen as essential steps to protect protocols and user ￰23￱ Hacks Surge in 2025 as Exploits Expose Hidden Smart Contract Risks The decentralized finance (DeFi) sector is facing one of its toughest years yet, with exploits surging to record highs in ￰24￱ same victim, Abracadabra, suffered a $13 million Ether (ETH) breach on March 25, 2025 , after attackers exploited complex logic flaws buried deep within its smart contract architecture. ￰0￱ suffers a $13M ETH security breach, targeting @GMX_IO -linked pools, marking its second major exploit this year after a $6.49M hack in January. #DeFi #CryptoHack ￰1￱ — ￰25￱ (@cryptonews) March 25, 2025 The exploit targeted GMX token pools and drained 6,260 ￰26￱ common vulnerabilities tied to arithmetic errors or access control, this attack leveraged multi-step transaction logic, making it exceptionally difficult to detect during ￰27￱ was Abracadabra’s second major exploit of the year, following a $6.49 million incident in January 2024 that destabilized its Magic Internet Money (MIM) ￰28￱ attack involved several “cauldrons” on ￰29￱ Money in Crisis as $6.5 Million Crypto Theft Sends Shockwaves Across DeFi Community Popular Ethereum-based DeFi lending protocol Abracadabra Money fell victim to a platform attack on January 30. #CryptoNews #news ￰2￱ — ￰30￱ (@cryptonews) January 31, 2024 Blockchain sleuths Cyvers Alerts later revealed that the hacker used 1 ETH from Tornado Cash, the sanctioned privacy mixer, to fund the operation, eventually siphoning off 2,740 ETH and moving $4 million to a new ￰31￱ Abracadabra attack is part of a broader trend of escalating crypto ￰32￱ to Chainalysis, over $2.17 billion was stolen between January and June 2025 , nearly matching all of 2024’s total ￰33￱ placed the figure even higher, at $2.47 billion, driven largely by February’s $1.5 billion Bybit hack—one of the largest exchange breaches in ￰34￱ a monthly basis, hacks caused an estimated $127.06 million in losses in September ￰35￱ the figure represents a 22% drop from August’s $163 million, nearly 20 major exploits were still ￰36￱ with the decline, exploit activity remains high, with September losses exceeding July’s $142 ￰37￱ hit by $41.5M $SOL hack after API compromise amid cascade of crypto security failures, including Nemo and Aqua exploits. #CryptoHack #Solana ￰3￱ — ￰38￱ (@cryptonews) September 8, 2025 With 2025’s mid-year losses already surpassing the $2.2 billion stolen in all of 2024, analysts warn that without stronger security measures, this year could rank among the worst in crypto’s history for breaches.