The Abracadabra Hack: $1.8M Lost to Logic Error
On October 4, 2025, Abracadabra lost $1.8M through a logic error in deprecated Cauldron V4 contracts. Learn how the cook() function vulnerability bypassed solvency checks.
The Abracadabra Hack: $1.8M Lost to Logic Error in Deprecated Contracts
On October 4, 2025, Abracadabra—a DeFi lending protocol and creator of the Magic Internet Money (MIM) stablecoin—suffered its third major exploit in less than two years, losing approximately $1.8 million (1,793,766 MIM tokens). The attack exploited a critical logic flaw in the protocol's cook() function within deprecated Cauldron V4 contracts on Ethereum, marking another chapter in a troubling pattern of security vulnerabilities.
Attack Overview
Date: October 4, 2025
Loss Amount: $1.8 million (1,793,766 MIM tokens)
Vulnerability: Logic error in cook() function allowing solvency check bypass
Target: Deprecated Cauldron V4 contracts
Attacker Address: 0x01ADe (funded via Tornado Cash)
The Vulnerability: cook() Function Logic Error
The attacker cleverly manipulated Abracadabra's multi-action transaction system to bypass solvency checks designed to prevent under-collateralized borrowing. The protocol's cook() function allows users to execute multiple predefined operations in a single transaction, with each operation represented by a numerical action code that modifies a shared CookStatus struct tracking whether solvency validation is required.
Attack Execution Flow
┌─────────────────────────────────────────────────────────┐
│ ABRACADABRA EXPLOIT EXECUTION FLOW │
└─────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────┐
│ ATTACKER INITIATES EXPLOIT │
│ • Wallet: 0x01ADe │
│ • Funded via Tornado Cash │
│ • Targets Cauldron V4 contracts │
└──────────────┬───────────────────────────┘
│
▼
┌──────────────────────────────────────────┐
│ STEP 1: ACTION 5 (BORROW) │
│ • Initiate borrowing sequence │
│ • Set needsSolvencyCheck = true │
│ • Borrow MIM tokens without collateral │
└──────────────┬───────────────────────────┘
│
▼
┌──────────────────────────────────────────┐
│ STEP 2: ACTION 0 (NO-OP RESET) │
│ • Call _additionalCookAction() │
│ • Return fresh CookStatus struct │
│ • Reset needsSolvencyCheck = false │
│ • BYPASS solvency validation │
└──────────────┬───────────────────────────┘
│
▼
┌──────────────────────────────────────────┐
│ STEP 3: REPEAT ACROSS 6 ADDRESSES │
│ • Systematically drain protocol funds │
│ • Total stolen: 1,793,766 MIM │
│ • Value: ~$1.8 million │
└──────────────┬───────────────────────────┘
│
▼
┌──────────────────────────────────────────┐
│ STEP 4: FUND LAUNDERING │
│ • Swap MIM → Stablecoins (Curve) │
│ • Convert to ETH (Uniswap) │
│ • Launder 395 ETH via Tornado Cash │
│ • 46 separate transactions │
└──────────────────────────────────────────┘
The Vulnerable Code
The critical vulnerability existed in this code snippet within the cook() function:
// Vulnerable implementation in Cauldron V4
function _additionalCookAction(
CookStatus memory status,
bytes memory data
) internal pure returns (CookStatus memory) {
// Returns fresh struct with default values
// This resets needsSolvencyCheck to false
return CookStatus(false);
}
// Attack pattern executed by exploiter
function exploitPattern() external {
// Action 5: Borrow (sets needsSolvencyCheck = true)
cook(5, borrowData);
// Action 0: No-Op (resets needsSolvencyCheck = false)
cook(0, emptyData);
// Final solvency check bypassed!
// Attacker walks away with under-collateralized loan
}
Root Cause Analysis
Deprecated but Active Contracts: The vulnerable Cauldron V4 contracts were deprecated, meaning they were no longer the primary version used by the protocol. However, they remained active and accessible to users. This represents a common DeFi security pitfall—legacy code that hasn't been properly deactivated.
Lack of Recent Audits: The base CauldronV4 contracts had not undergone security audits since November 2023, as the development team's focus shifted to newer features. This audit gap left the logic error undetected for an extended period.
Shared State Management: The cook() function's design allowed different actions to share and modify the same CookStatus struct. Without proper safeguards preventing status resets during critical operations, this created an exploitable pathway.
Attack Timeline
| Time | Event | Details |
|---|---|---|
| Pre-Attack | Attacker Preparation | Wallet 0x01ADe funded via Tornado Cash |
| Oct 4, 2025 | Exploit Execution | 1,793,766 MIM tokens stolen via cook() function |
| Immediate | Fund Conversion | MIM swapped to stablecoins (Curve) then ETH (Uniswap) |
| Detection | Security Alert | Go Security detects breach, 51 ETH already laundered |
| Response | Protocol Mitigation | Borrowing paused, DAO buyback of MIM tokens |
| Laundering | Tornado Cash | 395 ETH laundered via 46 separate transactions |
Pre-Attack
Event: Attacker Preparation
Wallet 0x01ADe funded via Tornado Cash
Oct 4, 2025
Event: Exploit Execution
1,793,766 MIM tokens stolen via cook() function
Immediate
Event: Fund Conversion
MIM swapped to stablecoins then ETH
Detection
Event: Security Alert
Go Security detects breach, 51 ETH laundered
Response
Event: Protocol Mitigation
Borrowing paused, DAO buyback executed
Laundering
Event: Tornado Cash
395 ETH laundered via 46 transactions
Protocol Response
Contract Suspension: The team immediately paused all borrowing functionality from the affected Cauldron contracts to prevent further exploitation.
Treasury Buyback: Using DAO reserve funds, Abracadabra repurchased the 1.79 million dumped MIM tokens from secondary markets to maintain the stablecoin's $1 peg and mitigate market impact.
User Fund Protection: According to DAO representative 0xMerlin, user funds were not directly affected by the exploit—only protocol treasury assets were compromised.
Historical Pattern: Third Exploit in Two Years
This October 2025 incident marked the third major exploit targeting Abracadabra, raising serious concerns about the protocol's security posture:
| Date | Loss Amount | Attack Type |
|---|---|---|
| January 2024 | $6.5 million | Smart contract vulnerability |
| March 2025 | $13 million | Flash loan attack on cauldron contracts |
| October 2025 | $1.8 million | Logic error in cook() function |
| Total | $21.3 million | 3 major exploits |
January 2024
Loss: $6.5 million
Smart contract vulnerability
March 2025
Loss: $13 million
Flash loan attack on cauldron contracts
October 2025
Loss: $1.8 million
Logic error in cook() function
Total Impact
$21.3 million lost across 3 major exploits in under 2 years
Security Lessons for DeFi Protocols
Deactivate Deprecated Contracts: Legacy smart contracts that are no longer actively maintained should be properly deactivated or have their functionality restricted. Simply labeling contracts as "deprecated" without enforcing access controls leaves attack vectors open.
Continuous Audit Coverage: Security audits should be conducted regularly, not just at launch. Any contracts that remain accessible to users—even deprecated ones—require ongoing security review, especially when they interact with active protocol components.
State Management Safeguards: Multi-action functions that share mutable state require careful design with explicit safeguards against unintended state resets. Critical security flags like needsSolvencyCheck should not be resettable through generic action handlers.
Fail-Safe Mechanisms: Protocols should implement circuit breakers and automated pause mechanisms that activate when suspicious patterns are detected, limiting potential damage from zero-day exploits.
Transparent Communication: Abracadabra's lack of public communication (inactive social accounts, no official statements) during a security crisis erodes user trust. Clear, timely disclosure is essential for maintaining community confidence.
Improved Security Implementation
// Recommended secure implementation
contract SecureCauldron {
struct CookStatus {
bool needsSolvencyCheck;
bool locked; // Prevent state resets during critical ops
}
function _additionalCookAction(
CookStatus memory status,
bytes memory data
) internal pure returns (CookStatus memory) {
// Preserve critical security flags
require(!status.locked, "Cannot reset during locked state");
// Only reset if explicitly safe
if (!status.needsSolvencyCheck) {
return CookStatus(false, false);
}
// Maintain security check requirement
return status;
}
function cook(
uint8[] calldata actions,
bytes[] calldata datas
) external {
CookStatus memory status = CookStatus(false, false);
for (uint256 i = 0; i < actions.length; i++) {
if (actions[i] == 5) { // Borrow action
status.needsSolvencyCheck = true;
status.locked = true; // Lock state during borrow
}
status = executeAction(actions[i], datas[i], status);
}
// Always validate solvency if flagged
if (status.needsSolvencyCheck) {
_validateSolvency();
}
}
}
Current Status and Future Implications
As of October 2025, Abracadabra maintains approximately $154 million in Total Value Locked (TVL) and plans to continue protocol development. However, the pattern of repeated security incidents poses significant risks to the protocol's long-term viability.
While the DAO's quick buyback prevented immediate market disruption and protected the MIM peg, each successive exploit damages user confidence and raises questions about the protocol's security architecture. The DeFi community increasingly scrutinizes projects with multiple breach histories, as they may indicate deeper structural issues beyond individual vulnerabilities.
Summing Up
The Abracadabra exploit serves as a critical reminder that deprecated doesn't mean safe in smart contract development. With $21.3 million lost across three exploits in under two years, the protocol demonstrates how past vulnerabilities often predict future risks without fundamental security improvements. For the broader DeFi ecosystem, this incident underscores the importance of comprehensive security practices—from initial development through ongoing maintenance—and the cost of security failures that extends beyond immediate financial losses to encompass reputational damage and eroded trust in decentralized finance.
.png&w=3840&q=75)
