A DeFi project, Abracadabra, has been exploited, resulting in a loss of about $1.7 million. This is the third time the platform has been a victim of a security breach. On October 4, Go Security, a blockchain security firm, flagged the exploit and confirmed that the attackers had already laundered roughly 51 ETH using Tornado Cash. At the time of reporting, the attacker’s wallet, identified as 0x1AaaDe, still contained around 344 ETH, which is worth approximately $1.55 million.
Security researcher Weilin Li verified the exploit and explained that the attacker was able to manipulate Abracadabra’s smart contract variables to bypass a solvency check. This allowed the attacker to borrow assets that exceeded the intended limit. As a result, Abracadabra’s team had to pause all contracts to prevent further losses.
Another blockchain audit firm, Phalcon, traced the root cause of the exploit to a faulty logic sequence in the platform’s cook function. The cook function is a mechanism that allows users to execute several predefined actions in a single transaction. According to the firm, the attacker performed two operations that overrode key safeguards.
The first operation, known as action 5, started a borrowing process that was supposed to pass solvency checks. The second operation, called action 0, acted as an empty update function. This function rewrote the check flag and skipped the final validation step. The attacker was able to drain more than 1.79 million MIM tokens by repeating this pattern across six different addresses.
At this time, Abracadabra has not publicly commented on the incident. The project’s official X account has not been updated since early September. However, according to Go Security, the Abracadabra team confirmed on Discord that it would use DAO reserve funds to repurchase the affected MIM supply.
Reference:
