The Abracadabra.Money decentralized lending protocol suffered its third major security breach on October 4, 2025, when an attacker exploited a logic flaw in the deprecated Cauldron V4 smart contract’s cook() function to drain approximately 1,793,755 MIM tokens worth roughly $1.79 million. The exploit, first identified by blockchain security firm Go Security at 12:54 PM UTC, exposed how even deprecated contracts that remain active can become vectors for significant losses when unaudited code persists on-chain.
The Exploit Mechanics
The attack centered on a critical vulnerability in the cook() multi-action function, which allows users to bundle multiple operations into a single transaction. The Cauldron V4 contract uses a shared CookStatus struct to track whether a solvency check is required after each action. When Action 5 (borrow) executes, it correctly sets needsSolvencyCheck = true, flagging the system to verify that collateral coverage remains adequate. However, the attacker discovered that Action 0, processed through the _additionalCookAction() function, resets the entire CookStatus struct, effectively clearing the solvency check flag before it is evaluated.
By alternating between Action 5 and Action 0 in a carefully sequenced cook call, the attacker borrowed MIM tokens without any collateral verification. The process was repeated across six different addresses, cumulatively extracting over 1.79 million MIM. Blockchain analysis by Phalcon confirmed the two-action pattern, while security researcher Weilin Li validated the sequence error as the root cause. The stolen MIM was rapidly converted to approximately 395 ETH through Curve and Uniswap liquidity pools before being routed through Tornado Cash to obfuscate the transaction trail.
Affected Systems
The exploit targeted specifically the deprecated Cauldron V4 contracts that remained active on Ethereum. Abracadabra’s modular architecture, built on BentoBox technology, includes DegenBox for collateral storage, individual Cauldrons for isolated lending markets, and optional yield strategies. While the V4 contracts had been superseded by newer versions, they were never deactivated, leaving them exposed. At the time of the attack, Bitcoin traded at approximately $122,425 and Ethereum at $4,489, meaning the attacker’s 395 ETH haul represented roughly $1.77 million in immediate value.
This marks the third exploit affecting the MIM Spell ecosystem. The first incident in January 2024 cost $6.49 million and briefly caused MIM to depeg from the US dollar. The second, in March 2025, drained $13 million from Cauldron contracts linked to GMX V2 markets. Combined, the three breaches have cost the protocol over $21 million, with each incident revealing a different class of vulnerability in the modular lending architecture.
The Mitigation Strategy
Abracadabra’s team responded by immediately pausing all borrowing activity on affected Cauldrons to prevent further exploitation. The team confirmed via Discord that DAO reserve funds would be used to repurchase the dumped MIM tokens from the open market, neutralizing the price impact on the stablecoin. Notably, no individual user funds were directly affected by the exploit, and the protocol’s total value locked remained at approximately $154 million.
However, the response drew criticism for its communication approach. As of October 5, Abracadabra’s official X (formerly Twitter) account had not publicly addressed the incident, leaving the community reliant on third-party security reports and Discord messages for information. The silence underscored a broader challenge in DeFi incident response: technical remediation must be accompanied by transparent, timely communication to maintain user trust.
Lessons Learned
The Abracadabra exploit reinforces several critical security principles for DeFi protocols. First, deprecated smart contracts should be fully deactivated rather than left running. Dormant code that remains executable on-chain is an open invitation for exploitation, particularly when it has known architectural weaknesses. Second, multi-action batching functions must carefully manage shared state. The CookStatus struct was intended to provide a safety net across compound operations, but its reset by Action 0 transformed it from a safeguard into a vulnerability. Third, protocols should implement continuous monitoring of all deployed contracts, including deprecated versions, rather than focusing audit resources exclusively on the latest releases.
User Action Required
For users who interact with Abracadabra or similar lending protocols, this incident highlights the importance of verifying which contract version you are using before depositing collateral. Check whether the contract address matches the current, audited version published on the protocol’s official documentation. If you hold MIM tokens, monitor the peg stability and be aware that DAO-backed buybacks may temporarily support the price but do not address the underlying contract risk. For DeFi participants more broadly, diversifying across protocols and maintaining awareness of which contract versions hold your funds remains the most effective defense against single-point-of-failure exploits like this one.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before interacting with any DeFi protocol.
Formal verification should be mandatory for high-value protocols
Tomasz Kowal formal verification wouldnt have caught this. the V4 contract was deprecated but still active. the bug was in an action ordering edge case that no audit framework covers
invariant testing catches this. line by line audits dont. the cook function resetting CookStatus on action 0 is a state machine bug not a logic bug
mev_quiet_ invariant testing would catch this in CI. openzeppelin released their invariant framework months before this exploit. zero excuse
invariant_nerd_ invariant testing in CI should be standard for any protocol over $1M TVL. openzeppelin made it free and accessible. no excuse at all
deprecated_live action ordering edge case that no audit framework covers. this is why you need invariant testing and formal verification, not just line by line audits
The industry needs standardized security audit frameworks
Nkechi Obi standard audits arent enough when deprecated code stays live. protocols need kill switches for old contracts, not just audits for new ones
cook_action kill switches for deprecated contracts should be mandatory. abracadabra had three major exploits now. at some point the pattern is the problem
three exploits is a pattern not a learning experience. abracadabra needs to sunset deprecated contracts or this keeps happening every 6 months
Asha P. three exploits on the same protocol is a pattern. abracadabra should sunset every deprecated contract immediately or users will keep paying for their negligence
The amount of DeFi exploits is still way too high
action 0 resetting the entire CookStatus struct is such a basic state management bug. how does this survive any review process
Joon B. action 0 resetting CookStatus is the kind of bug you find in CS101 homework not a protocol holding millions. where was the code review