The decentralized finance sector faces yet another stark reminder of the dangers lurking in smart contract code. On October 4, 2025, blockchain security firm Go Security flagged a critical exploit on Abracadabra Money, the lending protocol behind the Magic Internet Money (MIM) stablecoin. By the time the dust settled, attackers had drained approximately $1.8 million — 1,793,766 MIM stablecoins and 395 ETH — through a deceptively simple state management flaw in the protocol’s deprecated Cauldron V4 contracts.
The incident marks the third major security breach for Abracadabra in under two years, following a $6.4 million exploit in January 2024 and a devastating $13 million flash loan attack in March 2025. With Bitcoin trading at $123,513 and Ethereum at $4,515 at the time of the breach, the broader crypto market showed no signs of distress — making this exploit a purely technical failure, not a market-driven event.
The Exploit Mechanics
The vulnerability resided in the cook() function within Abracadabra’s Cauldron V4 smart contracts deployed on Ethereum. This function serves as a multi-action processor, enabling users to execute multiple operations — borrowing, depositing collateral, withdrawing — within a single transaction. It is a common pattern in DeFi protocols, designed for gas optimization and improved user experience.
At the heart of the function lies a CookStatus struct that tracks whether a solvency check is required after operations complete. When a user borrows funds through Action 5 (ACTION_BORROW), the function correctly sets needsSolvencyCheck to true, ensuring the protocol verifies adequate collateral exists before the transaction finalizes.
The critical flaw emerged when Action 0 (ACTION_CUSTOM) executed. The _additionalCookAction() helper function returned an entirely new CookStatus struct with its default value of false, completely overwriting the existing status variable. This meant that any solvency flag set by previous actions was immediately reset.
The attacker’s exploit sequence was elegant in its simplicity: call cook() with the action array [5, 0]. Action 5 borrows funds and sets the solvency check flag to true. Action 0 then triggers _additionalCookAction(), which returns a fresh struct overwriting the status and setting the flag back to false. When the function reaches its final check, needsSolvencyCheck is false — the collateral verification is skipped entirely, and the transaction completes successfully.
By repeating this cycle across multiple transactions, the attacker systematically drained 1,793,766 MIM and 395 ETH from the protocol’s reserves without ever providing adequate collateral. The stolen funds were subsequently converted to ETH through Curve Finance and Uniswap before being routed through Tornado Cash for obfuscation.
Affected Systems
The exploit targeted specifically the deprecated Cauldron V4 contracts, which remained active on Ethereum despite being superseded by newer versions. This is a systemic issue across DeFi: deprecated contracts are often left operational for backward compatibility, creating a growing attack surface that receives diminishing security attention over time.
Abracadabra’s Total Value Locked stood at approximately $154 million at the time of the exploit. While no individual user funds were directly affected — only protocol reserves were drained — the incident had immediate market consequences. MIM stablecoin trading volume dropped 16.98 percent within hours of the breach, and temporary pressure mounted on the MIM peg.
The broader October 2025 security landscape painted a deceptive picture of calm. Total hack losses across the crypto sector fell to just $18.18 million across 15 incidents, representing an 85.7 percent decline from September’s $127.06 million. However, this figure was skewed by the absence of large-scale attacks rather than genuine security improvements.
The Mitigation Strategy
Abracadabra’s response was swift and multi-pronged. The team immediately enacted an emergency pause on all borrowing from the affected Cauldron contracts, halting further exploitation. The DAO treasury then deployed its own funds to purchase 1.79 million MIM from the open market, counteracting the dumped supply and stabilizing the stablecoin’s peg.
From a technical standpoint, the mitigation exposed several critical failures in the protocol’s security posture. Deprecated contracts should never remain active without ongoing security reviews. The Cauldron V4 contracts, while superseded, still held significant value and should have been subject to continuous auditing — particularly given Abracadabra’s history of breaches.
The root cause — a state management error where a helper function returned a new struct instead of modifying existing state — is a well-known class of vulnerability in Solidity. It highlights the importance of rigorous code review patterns around shared mutable state, especially in functions that process sequential actions.
Lessons Learned
The Abracadabra exploit reinforces several hard truths about DeFi security that the industry continues to learn at significant cost. First, deprecated infrastructure is not inert infrastructure. Contracts that remain deployed and funded remain targets, and their security posture degrades as attention shifts to newer systems.
Second, repetitive breach patterns demand fundamental architectural review, not incremental patching. Three major exploits in under two years — each targeting different aspects of the protocol — suggest systemic weaknesses in the development and audit process rather than isolated mistakes.
Third, state management in multi-action functions requires explicit protection mechanisms. The pattern of using a shared struct to track safety checks across sequential operations is fragile by design. Protocols should implement immutable safety flags that cannot be overwritten by subsequent actions, or adopt a cumulative check model where each action can only add requirements, never remove them.
User Action Required
For users of Abracadabra or similar DeFi lending protocols, this incident underscores the importance of monitoring which contract versions hold your funds. If a protocol has deprecated certain contracts, verify whether your positions have migrated to the updated versions. Pay attention to emergency pause announcements and understand which assets are affected during active exploits.
More broadly, users should evaluate a protocol’s breach history before committing significant capital. Three exploits in two years is not a statistical anomaly — it is a signal about the robustness of the underlying security practices. Diversifying across protocols and maintaining awareness of which contract versions you interact with remains one of the most effective risk management strategies available to DeFi participants.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
Hardware wallet adoption is the single biggest security improvement anyone can make
Bridge security is still the weakest link in the ecosystem
Real-time monitoring tools are getting better at catching exploits early
deprecated contracts still holding $1.8M in value. the deprecation path in DeFi is basically nonexistent
deprecated contracts should be drained and migrated automatically. leaving them live with any TVL is negligence plain and simple
third exploit in under two years for abracadabra. at what point does the community stop treating every hack as a one-off incident
three exploits and the MIM peg is still holding somehow. either incredible luck or there is enough liquidity backing it that attackers cant break it