TLDR
- Abracadabra’s third exploit drains $1.7 million, exploiting smart contract flaws.
- Hackers laundered stolen funds via Tornado Cash after attacking Abracadabra.
- Abracadabra pauses contracts to limit further losses from the latest breach.
- Abracadabra’s prior hacks in 2024 and 2025 led to $19.5 million in losses.
Abracadabra, a decentralized finance (DeFi) protocol, has fallen victim to its third major exploit. Hackers drained approximately $1.7 million from the platform, marking another setback for the project. The breach was first identified by blockchain security firm Go Security on October 4, 2025. This attack follows previous incidents in which the platform lost millions, raising concerns over its security measures.
How the Attack Unfolded
On October 4, Go Security reported the latest breach, revealing that hackers managed to exploit a vulnerability in Abracadabra’s smart contract. The attackers manipulated the platform’s contract variables, allowing them to bypass a solvency check. This exploitation let them borrow assets beyond the intended limit, resulting in a substantial loss for the protocol.
Weilin Li, a security researcher, confirmed the breach, explaining that the vulnerability occurred due to faulty logic in the smart contract. The attack took advantage of a sequence error within Abracadabra’s cook function, which is designed to execute multiple actions in a single transaction. According to Phalcon, another blockchain audit firm, the exploit occurred through two specific actions.
The first, called “action 5,” triggered a borrowing process intended to pass solvency checks. The second, labeled “action 0,” bypassed the validation step by overriding the check flag. The attackers repeated this process across six different addresses, stealing over 1.79 million MIM tokens in the process.
The Response from Abracadabra’s Team
Following the exploit, Abracadabra’s team quickly acted to prevent further damage. They paused all contracts on the platform to limit additional losses. At the time of reporting, the hacker’s wallet contained around 344 ETH, worth roughly $1.55 million, though the stolen funds had already been partially laundered through Tornado Cash.
Go Security noted that the Abracadabra team confirmed on Discord that it would use its DAO reserve funds to repurchase the affected MIM tokens. However, as of October 5, the official social media channels of Abracadabra, including its X account, remained silent on the incident. This lack of communication has raised concerns about the project’s ongoing transparency.
Previous Exploits Raise Concerns
This breach is not the first time Abracadabra has been targeted by attackers. In January 2024, the platform suffered a hack that resulted in a $6.49 million loss and briefly caused the MIM stablecoin to depeg from the US dollar. A second exploit in March 2025 drained an additional $13 million from Abracadabra’s cauldron contracts, leading the team to offer the hacker a 20% bounty in exchange for the stolen funds.
The recurrence of such breaches in a relatively short period has prompted ongoing questions about the security of the platform. Despite the team’s efforts to address vulnerabilities, these repeated attacks have damaged the project’s reputation and raised concerns about the sustainability of its cross-chain lending system.
The Future of Abracadabra’s Security
As the third exploit adds to the growing list of security issues, the DeFi space is left questioning how Abracadabra plans to strengthen its protocols moving forward. While the team’s response to the current exploit appears swift, it remains to be seen whether these actions will be enough to restore user trust and prevent further breaches.
The continued challenges faced by Abracadabra highlight the importance of robust security measures in the rapidly evolving DeFi sector. For now, the platform’s future security strategy will likely remain under scrutiny as both developers and users await clearer answers from the project’s team.
