In October 2025, Abracadabra, a DeFi lending protocol and the creator of the Magic Internet Money (MIM) stablecoin, was the victim of an approximately $1.8 million hack. The attacker exploited vulnerabilities in the protocol’s smart contracts to steal 1.79 million MIM from the protocol.

This incident was only the latest in a series of high-value exploits against the protocol. In January 2024, the protocol suffered a smart contract exploit with $6.4 million in losses, and a March 2025 flash loan attack involved the theft of $13 million in MIM from the protocol.

Abracadabra is a DeFi lending protocol that has built-in solvency checks, which are designed to limit the amount that a user is permitted to borrow from the protocol. However, both the January 2024 and October 2025 hacks of the protocol managed to bypass these defenses to drain value from the protocol.

In this case, the attacker exploited logical errors within the protocol’s cook function in v4 deprecated cauldrons on Ethereum, performing multiple operations within a single transaction. The first of these involved borrowing from the protocol, while the second exploited an else block that reset the protocol’s status to its default state. Since the needsSolvencyCheck defaults to zero, this disabled the protections against borrowing beyond a defined limit.

After draining value from the protocol, the attacker used Tornado Cash to launder the funds and cover their tracks. In response to the incident, the protocol purchased 1.79 million MIM from the market to offset the effects of the hack and maintain the stablecoin’s peg.

Abracadabra has suffered multiple significant breaches within the space of a couple of years. One common theme is that these incidents all targeted the protocol’s smart contracts rather than the off-chain attacks involving private keys that have become more common recently.

While the protocol has implemented protections against these types of attacks, they’re not applied in all cases, and business logic errors open up opportunities for exploitation. In this case, performing multiple operations within the same transaction exploited the fact that both operations shared state within the cook function. This allowed the attacker to take malicious actions, then cover their tracks by resetting critical variables to default values.

These types of incidents underscore the importance of performing smart contract audits that look both for common vulnerabilities and deviations in the code from the intended logic of the protocol. To learn more about how to protect your protocol against these types of threats, get in touch.