DeFi lending protocol Abracadabra has fallen victim to another exploit, losing approximately $1.8 million in MIM tokens in a sophisticated attack that leveraged a flaw in its “cook” function. The breach marks the third major hack linked to Abracadabra this year, deepening concerns about the platform’s contract security.
Earlier in May, the protocol repurchased 6.5 million MIM, covering about half of the $13 million lost in the March exploit. The team confirmed user funds were unaffected and said it allocated part of its $19 million treasury to buy back MIM and stabilize its supply.
Notably, blockchain data shows that the attacker exploited the same flaw across six different wallet addresses. By calling the “cook” function with the specific action sequence, the attacker borrowed 1,793,755 MIM tokens and later swapped them for other assets, netting roughly $1.7 to $1.8 million in total gains.
Security analysts confirmed that the exploit was not due to a reentrancy bug or a typical flash loan vulnerability but stemmed entirely from a logical error in the code. The affected transaction and associated wallets have been flagged by monitoring platforms.
Abracadabra’s development team noted that the DAO has identified and mitigated the exploit, and no other funds/users are at risk.
Early suggestions from security experts include implementing isolated state checks for each action and adding mandatory solvency validations after all borrowing operations.
How Flawed “Cook” Function Was Exploited in Abracadabra Hack
According to blockchain security firm BlockSec, the attack targeted Abracadabra’s “cook” function. This feature is designed to let users execute multiple predefined operations in a single transaction. While this design aims to improve efficiency, it also created a dangerous vulnerability due to shared status tracking within the function.
Each action performed under the “cook” function shares a single status variable. When a borrowing operation (action = 5) occurs, the system sets a flag indicating that a solvency check is required at the end of the transaction.
However, when another action (action = 0) follows, it calls an internal helper function named “additionalCookAction.” This helper function is effectively empty and resets the solvency flag to false, overriding the previous setting.
This oversight allowed attackers to combine the two actions, [5, 0] to borrow assets while bypassing insolvency verification. As a result, the final solvency check was never executed, letting the attacker drain protocol funds.
Analysts warn that as DeFi platforms continue to prioritize flexibility and composability, attackers are becoming increasingly adept at identifying overlooked dependencies within complex smart contract logic. Strengthening testing frameworks, improving code reviews, and implementing continuous monitoring are now seen as essential steps to protect protocols and user funds.
DeFi Hacks Surge in 2025 as Exploits Expose Hidden Smart Contract Risks
The decentralized finance (DeFi) sector is facing one of its toughest years yet, with exploits surging to record highs in 2025. The same victim, Abracadabra, suffered a $13 million Ether (ETH) breach on March 25, 2025, after attackers exploited complex logic flaws buried deep within its smart contract architecture.
The exploit targeted GMX token pools and drained 6,260 ETH. Unlike common vulnerabilities tied to arithmetic errors or access control, this attack leveraged multi-step transaction logic, making it exceptionally difficult to detect during audits.
That was Abracadabra’s second major exploit of the year, following a $6.49 million incident in January 2024 that destabilized its Magic Internet Money (MIM) stablecoin. The attack involved several “cauldrons” on Ethereum.
Blockchain sleuths Cyvers Alerts later revealed that the hacker used 1 ETH from Tornado Cash, the sanctioned privacy mixer, to fund the operation, eventually siphoning off 2,740 ETH and moving $4 million to a new wallet.
The Abracadabra attack is part of a broader trend of escalating crypto thefts. According to Chainalysis, over $2.17 billion was stolen between January and June 2025, nearly matching all of 2024’s total losses. CertiK placed the figure even higher, at $2.47 billion, driven largely by February’s $1.5 billion Bybit hack—one of the largest exchange breaches in history.
On a monthly basis, hacks caused an estimated $127.06 million in losses in September 2025. While the figure represents a 22% drop from August’s $163 million, nearly 20 major exploits were still recorded. Even with the decline, exploit activity remains high, with September losses exceeding July’s $142 million.
With 2025’s mid-year losses already surpassing the $2.2 billion stolen in all of 2024, analysts warn that without stronger security measures, this year could rank among the worst in crypto’s history for breaches.
The post Is Abracadabra Cursed? Third Major DeFi Hack This Year Siphons Another $1.8M appeared first on Cryptonews.