Is Abracadabra Cursed? Third Major DeFi Hack This Year Siphons Another $1.8M

DeFi lending protocol Abracadabra has fallen sufferer to a different exploit, shedding roughly $1.8 million in MIM tokens in a classy assault that leveraged a flaw in its “cook dinner” perform. The breach marks the third main hack linked to Abracadabra this 12 months, deepening considerations in regards to the platform’s contract safety.

Earlier in May, the protocol repurchased 6.5 million MIM, masking about half of the $13 million misplaced within the March exploit. The group confirmed person funds had been unaffected and stated it allotted a part of its $19 million treasury to purchase again MIM and stabilize its provide.

.@MIM_Spell was attacked hours in the past, leading to a lack of ~$1.7M. The root trigger stems from the flawed implementation logic of the cook dinner perform, which permits customers to execute a number of predefined operations in a single transaction. Specifically, the actions share a standard… pic.twitter.com/4tQzkRbwcT

— BlockSec Phalcon (@Phalcon_xyz) October 4, 2025

Notably, blockchain data reveals that the attacker exploited the identical flaw throughout six completely different pockets addresses. By calling the “cook dinner” perform with the particular motion sequence, the attacker borrowed 1,793,755 MIM tokens and later swapped them for different belongings, netting roughly $1.7 to $1.8 million in whole beneficial properties.

Security analysts confirmed that the exploit was not as a consequence of a reentrancy bug or a typical flash mortgage vulnerability however stemmed totally from a logical error within the code. The affected transaction and related wallets have been flagged by monitoring platforms.

Abracadabra’s improvement group famous that the DAO has recognized and mitigated the exploit, and no different funds/customers are in danger.

Early options from safety consultants embody implementing remoted state checks for every motion and including obligatory solvency validations in any case borrowing operations.

How Flawed “Cook” Function Was Exploited in Abracadabra Hack

According to blockchain safety agency BlockSec, the assault focused Abracadabra’s “cook dinner” perform. This function is designed to let customers execute a number of predefined operations in a single transaction. While this design goals to enhance effectivity, it additionally created a harmful vulnerability as a consequence of shared standing monitoring throughout the perform.

Each motion carried out beneath the “cook dinner” perform shares a single standing variable. When a borrowing operation (motion = 5) happens, the system units a flag indicating {that a} solvency examine is required on the finish of the transaction.

However, when one other motion (motion = 0) follows, it calls an inside helper perform named “furtherCookMotion.” This helper perform is successfully empty and resets the solvency flag to false, overriding the earlier setting.

This oversight allowed attackers to mix the 2 actions, [5, 0] to borrow belongings whereas bypassing insolvency verification. As a end result, the ultimate solvency examine was by no means executed, letting the attacker drain protocol funds.

Analysts warn that as DeFi platforms proceed to prioritize flexibility and composability, attackers have gotten more and more adept at figuring out missed dependencies inside advanced sensible contract logic. Strengthening testing frameworks, enhancing code evaluations, and implementing steady monitoring at the moment are seen as important steps to guard protocols and person funds.

DeFi Hacks Surge in 2025 as Exploits Expose Hidden Smart Contract Risks

The decentralized finance (DeFi) sector is going through one in all its hardest years but, with exploits surging to report highs in 2025. The similar sufferer, Abracadabra, suffered a $13 million Ether (ETH) breach on March 25, 2025, after attackers exploited advanced logic flaws buried deep inside its sensible contract structure.

The exploit focused GMX token swimming pools and drained 6,260 ETH. Unlike frequent vulnerabilities tied to arithmetic errors or entry management, this assault leveraged multi-step transaction logic, making it exceptionally troublesome to detect throughout audits.

That was Abracadabra’s second main exploit of the 12 months, following a $6.49 million incident in January 2024 that destabilized its Magic Internet Money (MIM) stablecoin. The assault concerned a number of “cauldrons” on Ethereum.

Blockchain sleuths Cyvers Alerts later revealed that the hacker used 1 ETH from Tornado Cash, the sanctioned privateness mixer, to fund the operation, ultimately siphoning off 2,740 ETH and shifting $4 million to a brand new pockets.

The Abracadabra assault is a part of a broader pattern of escalating crypto thefts. According to Chainalysis, over $2.17 billion was stolen between January and June 2025, practically matching all of 2024’s whole losses. CertiK positioned the determine even greater, at $2.47 billion, pushed largely by February’s $1.5 billion Bybit hack—one of many largest change breaches in historical past.

On a month-to-month foundation, hacks prompted an estimated $127.06 million in losses in September 2025. While the determine represents a 22% drop from August’s $163 million, practically 20 main exploits had been nonetheless recorded. Even with the decline, exploit exercise stays high, with September losses exceeding July’s $142 million.

With 2025’s mid-year losses already surpassing the $2.2 billion stolen in all of 2024, analysts warn that with out stronger safety measures, this 12 months might rank among the many worst in crypto’s historical past for breaches.

The publish Is Abracadabra Cursed? Third Major DeFi Hack This Year Siphons Another $1.8M appeared first on Cryptonews.