DeFi lending protocol Abracadabra has fallen victim to a new exploit, losing around $1.8 million worth of MIM tokens in a sophisticated attack that exploited a flaw in the “cook” function. The breach marks the third major hack linked to Abracadabra this year, raising concerns about the platform’s contract security.
Earlier in May, the protocol bought back 6.5 million MIM, covering about half of the $13 million lost in the March exploit. The team confirmed that user funds were not affected and said it had allocated a portion of its $19 million treasury to buy back MIM and stabilize supply.
Particularly blockchain facts shows that the attacker exploited the same flaw on six different wallet addresses. By calling the ‘cook’ function with the specific action sequence, the attacker borrowed 1,793,755 MIM tokens and later exchanged them for other assets, totaling approximately $1.7 to $1.8 million in profits.
Security analysts confirmed that the exploit was not due to a reentry bug or a typical flash loan vulnerability, but stemmed entirely from a logical error in the code. The affected transaction and its associated wallet have been flagged by monitoring platforms.
The Abracadabra development team noted that the DAO has identified and contained the exploit, and that no other funds/users are at risk.
Early suggestions from security experts include implementing isolated state controls for every action and adding mandatory solvency validations after all loan transactions.
How the flawed ‘Cook’ feature was exploited in the Abracadabra hack
According to blockchain security firm BlockSec, the attack targeted Abracadabra’s “cooking” function. This feature is designed to let users perform multiple predefined operations in a single transaction. While this design aims to improve efficiency, it also created a dangerous vulnerability due to shared status tracking within the function.
Each action performed under the “cook” function shares a single state variable. When a loan operation (action = 5) occurs, the system sets a flag indicating that a solvency check is required at the end of the transaction.
However, when another action (action = 0) follows, an internal helper function called ‘additionalCookAction’ is called. This helper function is essentially empty and resets the solvency flag to false, overriding the previous setting.
This oversight allowed attackers to combine the two actions, [5, 0] to borrow assets while bypassing insolvency verification. As a result, the final solvency check was never performed, allowing the attacker to drain the protocol funds.
Analysts warn that as DeFi platforms continue to prioritize flexibility and composability, attackers are becoming increasingly adept at identifying overlooked dependencies within the complex smart contract logic. Strengthening testing frameworks, improving code reviews, and implementing continuous monitoring are now seen as essential steps to protect protocols and user funds.
The decentralized finance (DeFi) industry is facing one of its toughest years yet, with exploits set to reach record highs in 2025. The same victim, Abracadabra, suffered a $13 million Ether (ETH) breach on March 25, 2025, after attackers exploited complex logic flaws buried deep within the smart contract architecture.
https://t.co/MbOCK0J3eL suffers a $13 million ETH security breach targeting @GMX_IO -linked pools, which is the second major exploit this year after a $6.49 million hack in January.#DeFi #CryptoHackhttps://t.co/5AFL2T2fSY
— Cryptonews.com (@cryptonews) March 25, 2025
The exploit targeted GMX token pools and cost 6,260 ETH. Unlike common vulnerabilities related to computation errors or access control, this attack used multi-step transaction logic, making it exceptionally difficult to detect during audits.
That was Abracadabra’s second major exploit of the year, following a $6.49 million incident in January 2024 that destabilized its Magic Internet Money (MIM) stablecoin. The attack involved several ‘cauldrons’ on Ethereum.
Abracadabra money in crisis: $6.5 million crypto theft sends shockwaves through the DeFi community
Popular Ethereum-based DeFi lending protocol Abracadabra Money fell victim to a platform attack on January 30.#CryptoNews #newshttps://t.co/FOnfNJjaDE
— Cryptonews.com (@cryptonews) January 31, 2024
Blockchain sleuths Cyvers Alerts later revealed that the hacker used 1 ETH from sanctioned privacy mixer Tornado Cash to fund the operation, ultimately siphoning 2,740 ETH and moving $4 million to a new wallet.
The Abracadabra attack is part of a broader trend of escalating crypto thefts. According to Chainalysis, more than $2.17 billion was stolen between January and June 2025, nearly equaling all of 2024’s total losses. CertiK placed the figure even higher, at $2.47 billion, largely due to February’s $1.5 billion Bybit hack – one of the largest currency breaches in history.
On a monthly basis, hacks caused an estimated $127.06 million in losses in September 2025. While this figure represents a 22% drop from $163 million in August, nearly two dozen major exploits were still recorded. Even with the decline, exploit activity remains high, with losses in September exceeding $142 million in July.
SwissBorg fell by $41.5 million $SOL hack after API compromise amid series of crypto security flaws, including Nemo and Aqua exploits.#CryptoHack #Solanahttps://t.co/ztUl2s0yxv
— Cryptonews.com (@cryptonews) September 8, 2025
With midyear 2025 losses already exceeding the $2.2 billion stolen in all of 2024, analysts warn that without stronger security measures, this year could be among the worst in crypto history in terms of breaches.
The post Is Abracadabra Cursed? Third Major DeFi Hack This Year Siphons Another $1.8 Million appeared first on Cryptonews.
