Abracadabra Money Suffers Third Exploit in Two Years as Cauldron V4 Logic Flaw Drains $1.8M

By /
LinkedInMessengerRedditTelegramThreadsWhatsApp

DeFi lending protocol Abracadabra Money has been hit by its third major exploit in under two years. On October 4, 2025, an attacker exploited a critical business logic vulnerability in the protocol’s deprecated Cauldron V4 smart contracts, draining approximately $1.8 million worth of assets including 1,793,766 MIM stablecoins and 395 ETH. The incident raises serious questions about the security of aging DeFi infrastructure and the risks of leaving deprecated contracts active on mainnet.

TL;DR

  • Abracadabra Money lost approximately $1.8 million in its third exploit since January 2024
  • The attacker exploited a logic flaw in the deprecated Cauldron V4 cook() function
  • By combining Action 5 (BORROW) with Action 0 (CUSTOM), the attacker bypassed solvency checks
  • 1,793,766 MIM and 395 ETH were stolen and laundered through Tornado Cash
  • Total losses across all three exploits now exceed $21 million

How the Attack Worked

The vulnerability resided in the cook() function of Abracadabra’s Cauldron V4 contracts deployed on Ethereum. The cook() function is a multi-action processor that allows users to perform multiple operations within a single transaction — a common pattern in DeFi for gas optimization. The function relies on a CookStatus struct to track whether a solvency check is needed after all actions are completed.

Here is where the logic flaw becomes critical. When a user executes Action 5 (BORROW), the function correctly sets needsSolvencyCheck to true, ensuring that the protocol verifies the borrower has adequate collateral. However, when Action 0 (CUSTOM) is executed next, the internal _additionalCookAction() function returns an entirely new CookStatus struct with needsSolvencyCheck set to its default value of false. This new struct completely overwrites the existing status variable, erasing the requirement for a solvency check.

The attacker exploited this by calling cook() with the action sequence [5, 0]. Action 5 borrowed funds and flagged the need for a solvency check. Action 0 then wiped that flag. The final check found needsSolvencyCheck set to false and allowed the transaction to complete without verifying collateral. The attacker repeated this cycle multiple times, systematically draining the protocol’s funds.

From Borrowing to Laundering

After extracting 1,793,766 MIM and 395 ETH from the protocol, the attacker moved quickly to convert and obfuscate the stolen funds. The MIM tokens were swapped for ETH through Curve Finance and Uniswap, and the resulting ETH was transferred through Tornado Cash — the sanctioned mixing service that remains a go-to tool for crypto criminals seeking to break the on-chain trail of stolen assets.

A Pattern of Vulnerabilities

This exploit is not an isolated incident for Abracadabra. The protocol has now suffered three significant breaches, each exploiting different weaknesses in its smart contract infrastructure:

  • January 2024: A smart contract exploit resulted in a $6.4 million loss
  • March 2025: A flash loan attack drained $13 million from the protocol
  • October 2025: The cook() function logic error cost $1.8 million

The cumulative losses now exceed $21 million, and each incident has chipped away at community confidence in the protocol’s security posture. The fact that the October exploit targeted deprecated contracts that were still active on mainnet has drawn particular criticism from security researchers.

The Response and Market Impact

The Abracadabra DAO responded to the attack with an emergency pause of all borrowing from affected Cauldrons. The DAO treasury initiated buybacks of dumped MIM tokens to stabilize the stablecoin’s peg, and the team reported that no user funds were directly affected by the exploit. The protocol’s Total Value Locked remained at approximately $154 million following the incident.

However, the market impact was noticeable. Magic Internet Money (MIM) saw a 16.98% drop in trading volume immediately following the exploit, and the stablecoin had already been on a 60-day price decline of 40.26% leading up to the incident. The attack intensified existing community calls for comprehensive smart contract audits and stress testing of all active contracts, including deprecated versions.

Lessons for DeFi Security

The Abracadabra exploit highlights several critical lessons for the broader DeFi ecosystem. First, deprecated smart contracts that remain active on mainnet represent a significant attack surface. Protocols must either fully deprecate and disable old contracts or ensure they receive the same level of security scrutiny as new deployments. Second, state management in Solidity is a common source of vulnerabilities. The cook() function’s flaw — allowing a returned struct to overwrite critical state — is a pattern that automated security tools should be designed to detect.

The exploit also underscores the importance of proactive security measures. According to security firm Olympix, their automated scanning tools had actually identified the exact vulnerability in Abracadabra’s codebase before the exploit occurred. Had the protocol acted on those findings, the $1.8 million loss could have been prevented entirely.

Why This Matters

Three exploits in two years is not bad luck — it is a systemic security failure. Abracadabra’s experience serves as a warning to every DeFi protocol with aging infrastructure still live on mainnet. Deprecated does not mean disabled. Every active contract is a potential entry point for attackers, and the more complex the interaction patterns (like cook()’s multi-action system), the more likely that subtle logic flaws exist undetected.

With Bitcoin hovering around $114,472 and Ethereum at $4,158 in late October 2025, the total value locked in DeFi protocols represents an enormous honeypot for attackers. The industry cannot afford to treat smart contract security as a one-time audit exercise. Continuous monitoring, automated vulnerability detection, and rapid decommissioning of deprecated contracts must become standard practice — or protocols will continue to learn these lessons the expensive way.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. DeFi protocols carry inherent risks including smart contract vulnerabilities. Always conduct your own research before depositing funds into any protocol.

🌱 FOR BUSINESSES BitcoinsNews.com
Reach 100K+ Crypto Readers
Sponsored content, press releases, banner ads, and newsletter placements. Put your brand in front of Bitcoin's most engaged audience.

5 thoughts on “Abracadabra Money Suffers Third Exploit in Two Years as Cauldron V4 Logic Flaw Drains $1.8M”

  2. solidity_ghost

    action 5 setting needsSolvencyCheck to true and then action 0 overwriting it with false. classic struct overwrite bug. basic audit should catch this

    Reply
  5. cauldron_dev

    third exploit in two years and they still left deprecated V4 contracts active on mainnet. the cost of a migration vs the cost of another 1.8M drain. bad math

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

BTC$80,569.00-0.4%ETH$2,308.00-0.9%SOL$94.67+0.8%BNB$652.63+0.2%XRP$1.46+1.9%ADA$0.2790+1.7%DOGE$0.1093+1.0%DOT$1.35-0.7%AVAX$10.050.0%LINK$10.45-0.9%UNI$3.83-6.4%ATOM$2.00+2.9%LTC$58.28-0.5%ARB$0.1414-0.2%NEAR$1.52-3.1%FIL$1.12-4.0%SUI$1.27+10.7%BTC$80,569.00-0.4%ETH$2,308.00-0.9%SOL$94.67+0.8%BNB$652.63+0.2%XRP$1.46+1.9%ADA$0.2790+1.7%DOGE$0.1093+1.0%DOT$1.35-0.7%AVAX$10.050.0%LINK$10.45-0.9%UNI$3.83-6.4%ATOM$2.00+2.9%LTC$58.28-0.5%ARB$0.1414-0.2%NEAR$1.52-3.1%FIL$1.12-4.0%SUI$1.27+10.7%
Scroll to Top