Skip to main content
Security

Abracadabra Protocol Drained $1.8 Million Exploiting Deprecated Contract Logic Flaw

A multi-action smart contract logic error in a deprecated lending pool allowed an attacker to repeatedly bypass the solvency check, draining $1.8M in MIM.
November 20, 20254 min

A large, textured sphere, resembling a celestial body, partially submerges in dark blue liquid, generating dynamic splashes. Smaller white spheres interact with the fluid
The image showcases a detailed close-up of a central metallic, circular component with a luminous blue core, partially immersed in a vibrant, effervescent blue material. This mechanism is housed within a robust blue structural framework, highlighting precision engineering and complex internal operations

Briefing

The Abracadabra decentralized lending protocol suffered a $1.8 million exploit on its Ethereum-based Cauldron V4 contracts, which were deprecated but remained active. The primary consequence was the unauthorized minting and subsequent draining of 1.79 million Magic Internet Money (MIM) stablecoins, which the protocol’s DAO treasury was forced to buy back to stabilize the asset’s peg. The core vulnerability was a critical logic error within the cook() multi-action function that allowed the attacker to repeatedly bypass the mandatory collateral solvency check. This incident represents a significant financial loss for the protocol’s treasury and underscores a fundamental failure in code lifecycle management.

Abstract, sleek white and transparent metallic structures dynamically interact with a vibrant blue granular substrate, creating a splash effect and reflecting on a rippled, deep blue liquid surface. The background features a subtle mist, enhancing the futuristic and impactful scene

Context

This incident follows a pattern of recurring security lapses for the protocol, which had previously suffered over $19 million in losses from similar smart contract exploits in 2024 and 2025. The prevailing attack surface was the continued operational status of deprecated smart contracts, which often receive less security scrutiny and are not subject to the same strict access controls or code updates as active, audited versions. The failure to fully deactivate or sunset old contract versions created an unnecessary and high-value attack vector.

A robust, metallic blue and silver apparatus is partially submerged in a field of fine, sparkling granular particles. A vibrant stream of blue, particle-laden fluid traverses a transparent central channel

Analysis

The attack leveraged a flaw in the cook() function, which processes multiple operations within a single transaction using a shared CookStatus struct. The attacker initiated a borrowing action (Action 5), which correctly set the needsSolvencyCheck flag to true. Crucially, they immediately followed this with a different action (Action 0) that was implemented to reset the shared struct to its default state.

This reset inadvertently cleared the needsSolvencyCheck flag to false, effectively nullifying the collateral requirement and enabling the attacker to repeatedly borrow MIM without sufficient backing, thus draining the $1.8 million. The attacker converted the stolen MIM to ETH and laundered the funds through Tornado Cash.

A futuristic spherical mechanism, partially open, reveals an intricate internal process with distinct white and blue elements. The left side displays a dense aggregation of white, granular material, transitioning dynamically into a vibrant formation of sharp, blue crystalline structures on the right, all contained within a metallic, paneled shell

Parameters

  • Total Funds Drained ∞ $1.8 Million – The value of the 1.79 million MIM tokens stolen from the deprecated Cauldron V4 contracts.
  • Affected Asset ∞ 1.79 Million MIM – The exact amount of the Magic Internet Money stablecoin that was unauthorizedly minted and drained.
  • Vulnerable Contract State ∞ Deprecated V4 Cauldron – The specific, older smart contract version on Ethereum Mainnet that contained the exploitable logic flaw.
  • Attack Vector Root Cause ∞ CookStatus Reset Logic – The shared state variable in the cook() multi-action function that was reset, bypassing the solvency check.

A central metallic protocol mechanism, intricately designed with visible apertures, is depicted surrounded by a dynamic, luminous blue fluid. This fluid, resembling a liquidity pool, exhibits flowing motion, highlighting the metallic component's precision engineering

Outlook

Protocols must immediately implement a rigorous decommissioning policy to ensure all deprecated smart contracts are fully deactivated, ideally by revoking all permissions or migrating all remaining liquidity. This incident reinforces the principle that code, once deployed, is an immutable liability if not properly secured or sunsetted. Users of similar multi-action DeFi protocols should verify that all associated contracts, especially older versions, have been formally audited and are not exposed to state-reset vulnerabilities. The DAO’s treasury buyback is a necessary, short-term stabilization measure, but it is not a sustainable security practice.

A highly detailed, blue-toned mechanical apparatus, featuring tightly bundled wires and precision-engineered metallic components, is sharply focused in the foreground. The intricate design showcases a complex system of interconnected parts

Verdict

The exploit of an active, deprecated smart contract highlights the systemic risk of poor code lifecycle management, affirming that any un-sunsetted contract is an open vulnerability for the entire protocol.

smart contract vulnerability, logic error, solvency check bypass, deprecated code risk, under-collateralized borrowing, multi-action function, DeFi lending protocol, stablecoin peg risk, on-chain forensics, treasury buyback, Ethereum mainnet, code audit failure, recursive borrowing, lending pool exploit, collateral verification failure, flash loan attack vector, smart contract audit, security posture, risk mitigation, asset protection, decentralized autonomous organization, DAO governance, token stability, market impact, MIM stablecoin, Ethereum blockchain, contract decommissioning, code security, systemic risk, attack vector analysis, incident response, on-chain data, forensic analysis. Signal Acquired from ∞ medium.com

Micro Crypto News Feeds

lifecycle management

Definition ∞ Lifecycle Management pertains to the comprehensive oversight of an asset or product from its initial conception through its operational existence and eventual retirement.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

collateral

Definition ∞ Collateral refers to an asset pledged by a borrower to a lender as security for a loan.

stablecoin

Definition ∞ A stablecoin is a type of cryptocurrency designed to maintain a stable value relative to a specific asset, such as a fiat currency or a commodity.

ethereum mainnet

Definition ∞ Ethereum Mainnet is the principal, operational blockchain network where all verified Ethereum transactions and smart contract code executions occur.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

security

Definition ∞ Security refers to the measures and protocols designed to protect assets, networks, and data from unauthorized access, theft, or damage.

systemic risk

Definition ∞ Systemic risk refers to the danger that the failure of one component within a financial system could trigger a cascade of failures across the entire network.

Tags:

Tags: