Abracadabra.money Hacked Again: $1.7M Stolen in Third Exploit

The DeFi platform Abracadabra.money has once again fallen victim to cybercriminals—its third successful breach in just two years. This time, attackers exploited a vulnerability in outdated token pools on the Ethereum mainnet, allowing them to mint 1.79 million Magic Internet Money (MIM) stablecoins, valued at approximately $1.7 million.

The project team confirmed the incident only on October 6, though analysts had reported it two days earlier, on October 4. Experts determined that the breach stemmed from a flaw in the logic of the “cook” function, which enables multiple predefined operations to be executed within a single transaction. This mechanism, intended to streamline processes, inadvertently created an opening for manipulation and the circumvention of code constraints.

Despite the attack, the MIM token maintained its peg near $1, and the team asserted that user funds remained unaffected. The decentralized autonomous organization (DAO) governing the project repurchased the entire batch of illicitly minted tokens, thereby fully neutralizing the incident’s financial impact. To mitigate further risks, borrowing functions within affected pools were temporarily suspended, and the codebase is now undergoing a comprehensive audit.

Abracadabra.money has also announced a reward for any information leading to the identification of the attacker and reminded the community of its ongoing bug bounty program for reporting code vulnerabilities.

This marks the third such incident involving the platform. In January 2024, Abracadabra.money suffered a loss of around $6 million, followed by another $13 million exploit in March 2025, both linked to Ethereum-based vulnerabilities. Currently, the platform’s ecosystem manages over $152 million in collateral and active liquidity pools.

Operating as a decentralized lending protocol, Abracadabra.money allows users to leverage interest-bearing tokens as collateral to mint MIM stablecoins. However, each successive breach raises serious questions about the resilience of DeFi systems, particularly those burdened by outdated smart contracts still exposed to modern exploitation techniques.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy