Decentralized finance (DeFi) lending platform Abracadabra has suffered another security breach, losing nearly $1.8 million worth of Magic Internet Money (MIM) tokens in its latest exploit — the third significant hack to strike the protocol since 2024.
According to blockchain security firm BlockSec Phalcon, the attack took place late Saturday when an unidentified hacker exploited a vulnerability in one of Abracadabra’s smart contract functions. The flaw allowed the attacker to bypass solvency checks and withdraw about 1.79 million MIM from the protocol.
.@MIM_Spell was attacked hours ago, resulting in a loss of ~$1.7M. The root cause stems from the flawed implementation logic of the cook function, which allows users to execute multiple predefined operations in a single transaction. Specifically, the actions share a common… pic.twitter.com/4tQzkRbwcT
— BlockSec Phalcon (@Phalcon_xyz) October 4, 2025
Investigators traced the hacker’s initial funding to the Tornado Cash mixing service — often used to obscure crypto transactions. After executing the exploit, the attacker reportedly swapped the stolen MIM for Ethereum (ETH) and routed it back through Tornado Cash to conceal their trail.
In a statement shared on Abracadabra’s Discord server, DAO contributor 0xMerlin confirmed the vulnerability had been contained:
“A potential attack vector was identified today in some deprecated contracts. The issue has been mitigated and closed,” they said, noting that the affected funds were reacquired from the market using the DAO treasury and would be repaid in ETH. 0xMerlin also emphasized that no user funds were directly impacted by the exploit.
Abracadabra currently holds around $154 million in total value locked (TVL), with a circulating MIM supply of approximately 44 million tokens across Ethereum and its Layer 2 network Arbitrum.
This incident adds to a troubling pattern for the lending protocol. In January 2024, Abracadabra lost $6.4 million to a similar exploit that also bypassed insolvency checks. Then, in March 2025, hackers drained $13 million in MIM through a complex flash loan attack. In total, the platform has lost more than $21 million in DeFi hacks over the past two years.
Following the latest breach, 0xMerlin said the Abracadabra team is reviewing internal security measures and exploring ways to strengthen the protocol against future attacks. The team has yet to issue an official public statement and did not immediately respond to media inquiries.
