DeFi challenge Abracadabra has suffered a contemporary exploit that drained about $1.7 million from its platform.
Blockchain safety agency Go Safety flagged the breach on October 4 and confirmed that attackers had already laundered about 51 ETH by Twister Money. On the time of reporting, the attacker’s pockets (recognized as 0x1AaaDe) nonetheless held round 344 ETH, value roughly $1.55 million.
Sponsored
Sponsored
How Abracadabra Was Exploited for the Third Time
Safety researcher Weilin Li verified the exploit and defined that the attacker manipulated Abracadabra’s sensible contract variables to bypass a solvency test.
This allowed them to borrow property past the supposed restrict, prompting Abracadabra’s staff to pause all contracts to stop additional losses.
One other blockchain audit agency, Phalcon, traced the foundation trigger to a defective logic sequence within the platform’s cook dinner operate. This can be a mechanism that lets customers execute a number of predefined actions in a single transaction.
In line with the agency, the attacker carried out two operations that overrode key safeguards.
Sponsored
Sponsored
The primary, referred to as motion 5, initiated a borrowing course of that was presupposed to go solvency checks. The second, known as motion 0, acted as an empty replace operate that rewrote the test flag and skipped the ultimate validation step.
The attacker drained greater than 1.79 million MIM tokens by repeating this sample throughout six totally different addresses.
As of press time, Abracadabra has but to remark publicly on the incident. Notably, the challenge’s official X account has remained silent since early September.
Nonetheless, Go Safety reported that the Abracadabra staff confirmed on Discord that it might use DAO reserve funds to repurchase the affected MIM provide.
In the meantime, if verified, the newest incident would mark the third exploit in opposition to Abracadabra in below two years.
In January 2024, the platform misplaced $6.49 million in a hack that briefly depegged the MIM stablecoin from the US greenback. A second exploit in March 2025 drained one other $13 million from its cauldron contracts, after which the staff supplied the hacker a 20% bounty.
The recurrence of such breaches raises renewed questions concerning the safety of the DeFi protocol and the sustainability of its cross-chain lending architectures.