The Defi Abracadabra project underwent a new feat which has drained approximately $ 1.7 million in its platform.
The blockchain security firm, Go Security, reported the violation on October 4 and confirmed that the attackers had already turned around 51 ETH through Tornado Cash. At the time of the report, the striker’s portfolio (identified as 0x1aaade) was still held approximately 344 ETH, worth around 1.55 million dollars.
Sponsored
Sponsored
How Abracadabra was exploited for the third time
The security researcher Weilin Li checked the feat and explained that the attacker has manipulated the intelligent abracadabra contract variables to circumvent a solvency control.
This allowed them to borrow assets beyond the planned limit, encouraging the Abracadabra team to suspend all contracts to avoid other losses.
Another blockchain audit firm, Phalcon, has drawn the deep cause of a defective logical sequence in the platform cooking function. It is a mechanism that allows users to perform several predefined actions in a single transaction.
According to the company, the attacker carried out two operations which replaced the key guarantees.
Sponsored
Sponsored
The first, known as action 5, launched a loan process which was supposed to make solvency checks. The second, called action 0, acted as an empty update function which rewrites the control indicator and jumped the final validation stage.
The attacker drained more than 1.79 million MIM tokens by repeating this model on six different addresses.
At the time of the press, Abracadabra has not yet publicly commented on the incident. In particular, the official project account has remained silent since early September.
However, Go Security reported that the Abracadabra team has confirmed on Discord that it would use the DAO reserve funds to buy the assigned MIM offer.
Meanwhile, if it is verified, the last incident would mark the third feat against Abracadabra in less than two years.
In January 2024, the platform lost $ 6.49 million in a hacking that briefly spent the Stablecoin MIM of the US dollar. A second feat in March 2025 drained an additional $ 13 million from its cauldron contracts, after which the team offered a 20%bonus to the pirate.
The recurrence of such violations raises renewed questions on the security of the DEFI protocol and the sustainability of its transversal loan architectures.
