DeFi protocol Abracadabra lost $1.8 million after an attacker exploited a simple logic flaw in its batch function. Analysts at Hacken say the attacker has already laundered money through Tornado Cash.
Summary
- Abracadabra lost nearly $2 million after an attacker exploited a simple logic flaw in the batch function, similar to an attack on a forked project days earlier.
- The attacker bypassed a security flag intended to check whether borrowers had sufficient collateral and emptied six cauldrons in one go before exchanging the stolen MIM for ETH and sending it through Tornado Cash.
- This isn’t the first time Abracadabra’s code has been targeted, but the incident shows how a small, unimplemented feature can allow hackers to take advantage, even if the same flaw was visible in a fork.
In early October, Abracadabra, a DeFi lending protocol that allows people to borrow its stablecoin MIM using deposited tokens as collateral, previously suffered multiple hacker attacks, this time again lost about $1.8 million After an attacker used a simple logic flaw in the protocol’s batch function to borrow without providing any collateral, in the same way a forked project was affected just days earlier, analysts at blockchain security firm Hacken said in a research note shared with crypto.new.
Abracadabra was launched as a way for people to use interest-bearing tokens as collateral and borrow a US dollar-pegged token called Magic Internet Money, or MIM. The system is built around two parts: Cauldrons, which handle the lending rules, and DegenBox, the shared vault that actually contains tokens. In short: you put collateral in a Ketel and the DegenBox keeps track of the money behind the scenes.
The short version of what went wrong is this: a security flag that should force a final check on whether a borrower actually has collateral was disabled within a single transaction. As Hacken’s report explains, the attacker “exploited a logic flaw in Abracadabra’s cook() function, allowing them to borrow MIM tokens and then immediately reset the validation flag that was supposed to check whether they had sufficient collateral.” This made a one-off loan without collateral possible for several boilers.
Under the microscope
Here’s how the flow worked, in plain terms. Abracadabra uses a batch function called cook() allowing users to perform multiple actions in one transaction. Suppose you put up collateral and borrow in one click. One of those actions, such as the “borrow” step, sets a flag called needsSolvencyCheck to true, which means “at the end of this transaction, check if the borrower is safe.”
But another action that can be performed within the same batch is called “_additionalCookAction(…).” As Hacken notes, that function was declared as ‘virtual’ and never implemented, so by default it returned an empty object with everything set to false, including that needsSolvencyCheck flag.
As a result, the attacker called the borrow action and then the default action that reset the flag, and ultimately the protocol never checked solvency.
The analysts say the attacker hit six Cauldrons in one go, taking around 1.79 million MIM and exchanging them for ETH. Attackers exploited the vulnerability, systematically searching six different cauldrons and emptying them all “using the same technique with a special cooking function,” the analysts explained.
After the exchange, the attacker sent funds via Tornado Cash, a crypto mix protocol, usually 10 ETH each, which was sent gradually the next day.
And this isn’t the first time Abracadabra’s CauldronV4 code has run into trouble. Other incidents earlier this year used different edge cases within the same contract family. What’s interesting now is how quickly the forked bet responded.
According to the report, a fork called Synnax paused or removed his CauldronV4 master on his own DegenBox days before the Abracadabra runoff, so essentially the fork team pulled the emergency brake after noticing the same weak pattern, suggesting the risk was visible to teams looking at the code, if not fixed.
