Security

Abracadabra Protocol Drained $1.8 Million Exploiting Deprecated Contract Logic Flaw

A multi-action smart contract logic error in a deprecated lending pool allowed an attacker to repeatedly bypass the solvency check, draining $1.8M in MIM.
November 20, 20254 min

A futuristic white and grey mechanical device, detailed with complex parts and a bright blue glowing aperture, propels a powerful stream of blue liquid. The liquid bursts outwards, forming a dense spray of illuminated droplets against a soft, blurred background
A close-up view shows a grey, structured container partially filled with a vibrant blue liquid, featuring numerous white bubbles and a clear, submerged circular object. The dynamic composition highlights an active process occurring within a contained system

Briefing

The Abracadabra decentralized lending protocol suffered a $1.8 million exploit on its Ethereum-based Cauldron V4 contracts, which were deprecated but remained active. The primary consequence was the unauthorized minting and subsequent draining of 1.79 million Magic Internet Money (MIM) stablecoins, which the protocol’s DAO treasury was forced to buy back to stabilize the asset’s peg. The core vulnerability was a critical logic error within the cook() multi-action function that allowed the attacker to repeatedly bypass the mandatory collateral solvency check. This incident represents a significant financial loss for the protocol’s treasury and underscores a fundamental failure in code lifecycle management.

The image presents a meticulously rendered abstract mechanism, featuring polished silver cylindrical components, a prominent blue multi-bladed rotor, and clear, transparent conduits that intricately wrap around the central elements. These components are dynamically arranged against a smooth, gradient dark grey background, highlighting their interconnectedness

Context

This incident follows a pattern of recurring security lapses for the protocol, which had previously suffered over $19 million in losses from similar smart contract exploits in 2024 and 2025. The prevailing attack surface was the continued operational status of deprecated smart contracts, which often receive less security scrutiny and are not subject to the same strict access controls or code updates as active, audited versions. The failure to fully deactivate or sunset old contract versions created an unnecessary and high-value attack vector.

A futuristic, metallic sphere with concentric rings emits a cloud of white particles and blue crystalline cubes into a blurred blue background. This dynamic visual represents a decentralized network actively engaged in high-volume transaction processing and data packet fragmentation

Analysis

The attack leveraged a flaw in the cook() function, which processes multiple operations within a single transaction using a shared CookStatus struct. The attacker initiated a borrowing action (Action 5), which correctly set the needsSolvencyCheck flag to true. Crucially, they immediately followed this with a different action (Action 0) that was implemented to reset the shared struct to its default state.

This reset inadvertently cleared the needsSolvencyCheck flag to false, effectively nullifying the collateral requirement and enabling the attacker to repeatedly borrow MIM without sufficient backing, thus draining the $1.8 million. The attacker converted the stolen MIM to ETH and laundered the funds through Tornado Cash.

The image captures a detailed perspective of a sleek, reflective blue component, showcasing its transparent upper rim filled with a vibrant blue liquid. Numerous small, white bubbles adhere to the inner glass surface and float within the fluid, creating a dynamic visual

Parameters

  • Total Funds Drained → $1.8 Million – The value of the 1.79 million MIM tokens stolen from the deprecated Cauldron V4 contracts.
  • Affected Asset → 1.79 Million MIM – The exact amount of the Magic Internet Money stablecoin that was unauthorizedly minted and drained.
  • Vulnerable Contract State → Deprecated V4 Cauldron – The specific, older smart contract version on Ethereum Mainnet that contained the exploitable logic flaw.
  • Attack Vector Root Cause → CookStatus Reset Logic – The shared state variable in the cook() multi-action function that was reset, bypassing the solvency check.

A polished metallic cylinder, resembling a digital asset, is partially immersed in a vibrant blue and white frothy substance, set against a blurred background of intricate machinery. The effervescent material signifies the intense computational activity and data flow inherent in a robust blockchain ecosystem

Outlook

Protocols must immediately implement a rigorous decommissioning policy to ensure all deprecated smart contracts are fully deactivated, ideally by revoking all permissions or migrating all remaining liquidity. This incident reinforces the principle that code, once deployed, is an immutable liability if not properly secured or sunsetted. Users of similar multi-action DeFi protocols should verify that all associated contracts, especially older versions, have been formally audited and are not exposed to state-reset vulnerabilities. The DAO’s treasury buyback is a necessary, short-term stabilization measure, but it is not a sustainable security practice.

The image displays a finely detailed metallic component, possibly a gear or a critical cryptographic primitive, centrally positioned and in sharp focus. This mechanism is partially encased by a flowing, translucent light blue substance, which forms organic, wave-like structures around it, receding into a softer blur in the background

Verdict

The exploit of an active, deprecated smart contract highlights the systemic risk of poor code lifecycle management, affirming that any un-sunsetted contract is an open vulnerability for the entire protocol.

smart contract vulnerability, logic error, solvency check bypass, deprecated code risk, under-collateralized borrowing, multi-action function, DeFi lending protocol, stablecoin peg risk, on-chain forensics, treasury buyback, Ethereum mainnet, code audit failure, recursive borrowing, lending pool exploit, collateral verification failure, flash loan attack vector, smart contract audit, security posture, risk mitigation, asset protection, decentralized autonomous organization, DAO governance, token stability, market impact, MIM stablecoin, Ethereum blockchain, contract decommissioning, code security, systemic risk, attack vector analysis, incident response, on-chain data, forensic analysis. Signal Acquired from → medium.com

Micro Crypto News Feeds

lifecycle management

Definition ∞ Lifecycle Management pertains to the comprehensive oversight of an asset or product from its initial conception through its operational existence and eventual retirement.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

collateral

Definition ∞ Collateral refers to an asset pledged by a borrower to a lender as security for a loan.

stablecoin

Definition ∞ A stablecoin is a type of cryptocurrency designed to maintain a stable value relative to a specific asset, such as a fiat currency or a commodity.

ethereum mainnet

Definition ∞ Ethereum Mainnet is the principal, operational blockchain network where all verified Ethereum transactions and smart contract code executions occur.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

security

Definition ∞ Security refers to the measures and protocols designed to protect assets, networks, and data from unauthorized access, theft, or damage.

systemic risk

Definition ∞ Systemic risk refers to the danger that the failure of one component within a financial system could trigger a cascade of failures across the entire network.

Tags:

Tags: