Defi Project Abracadabra is struggling with a new exploit that has leaked around $1.7 million from the platform.
Blockchain security company GO Security flagged the violation on October 4th, confirming that the attacker has already washed around 51 ETH through tornado cash. At the time of reporting, the attacker’s wallet (identified as 0x1AAADE) still represents around $1.55 million worth of ETH.
Sponsored Sponsors
How Abracadabra was exploited for the third time
Security researcher Weilin Li checked the exploit and explained that the attacker manipulated Abracadabra’s smart contract variables to bypass the solvency check.
This allowed them to borrow assets beyond their intended limits, prompting Abracadabra’s team to suspend all contracts to prevent further losses.
Another blockchain auditing company, Phalcon, tracked the root cause in the wrong logic sequence of the platform’s Cook function. This is a mechanism that allows users to perform several predefined actions in a single transaction.
According to the company, the attacker carried out two actions that overturned the main safeguards.
Sponsored Sponsors
The first one known as Action 5 has begun a borrowing process that is supposed to pass the solvency check. The second action 0 acted as an empty update function that rewrites the check flag and skips the final validation step.
The attacker ejected over 1.79 million MIM tokens by repeating this pattern at six different addresses.
As of the time of reporting, Abracadabra has not yet commented publicly on the incident. In particular, the project’s official X account will remain silent since early September.
However, Go Security reported that the Abracadabra team has confirmed that it will use DAO reserve funds at Discord to repurchase the affected MIM supply.
On the other hand, if verified, the most recent case marks the third exploit against Abracadabra in less than two years.
In January 2024, the platform lost $6.49 million in hacks and quickly removed MIM Stablecoin from the US dollar. The second exploit in March 2025 leaked another $13 million from the cauldron contract, and the team then offered the hackers a 20% prize money.
The recurrence of such violations raises new questions about the security of the Defi protocol and the sustainability of its cross-chain lending architecture.
