Security

Abracadabra Protocol Drained $1.8 Million Exploiting Deprecated Contract Logic Flaw

A multi-action smart contract logic error in a deprecated lending pool allowed an attacker to repeatedly bypass the solvency check, draining $1.8M in MIM.
November 20, 20254 min

A detailed close-up shows a complex, futuristic mechanism composed of shiny silver and translucent blue components. At its core, a cross-shaped structure made of light blue foamy material features a prominent metallic five-pointed star
A sophisticated metallic assembly, comprising interconnected silver and black geometric elements and visible bearings, is depicted partially submerged within a pale blue, granular substance. Beneath this textured surface, an intensely luminous electric blue network, characterized by intricate, flowing patterns, suggests a foundational digital architecture

Briefing

The Abracadabra decentralized lending protocol suffered a $1.8 million exploit on its Ethereum-based Cauldron V4 contracts, which were deprecated but remained active. The primary consequence was the unauthorized minting and subsequent draining of 1.79 million Magic Internet Money (MIM) stablecoins, which the protocol’s DAO treasury was forced to buy back to stabilize the asset’s peg. The core vulnerability was a critical logic error within the cook() multi-action function that allowed the attacker to repeatedly bypass the mandatory collateral solvency check. This incident represents a significant financial loss for the protocol’s treasury and underscores a fundamental failure in code lifecycle management.

A close-up view reveals a metallic, hexagonal object with intricate silver and dark grey patterns, partially surrounded by a vibrant, translucent blue, organic-looking material. A cylindrical metallic component protrudes from one side of the central object

Context

This incident follows a pattern of recurring security lapses for the protocol, which had previously suffered over $19 million in losses from similar smart contract exploits in 2024 and 2025. The prevailing attack surface was the continued operational status of deprecated smart contracts, which often receive less security scrutiny and are not subject to the same strict access controls or code updates as active, audited versions. The failure to fully deactivate or sunset old contract versions created an unnecessary and high-value attack vector.

A futuristic metallic device, possibly a satellite or specialized node, is partially submerged in a calm body of water. From its lower section, a vigorous stream of bright blue liquid, intermingled with white foam, forcefully ejects, creating dynamic ripples and splashes on the water's surface

Analysis

The attack leveraged a flaw in the cook() function, which processes multiple operations within a single transaction using a shared CookStatus struct. The attacker initiated a borrowing action (Action 5), which correctly set the needsSolvencyCheck flag to true. Crucially, they immediately followed this with a different action (Action 0) that was implemented to reset the shared struct to its default state.

This reset inadvertently cleared the needsSolvencyCheck flag to false, effectively nullifying the collateral requirement and enabling the attacker to repeatedly borrow MIM without sufficient backing, thus draining the $1.8 million. The attacker converted the stolen MIM to ETH and laundered the funds through Tornado Cash.

A robust, metallic blue and silver apparatus is partially submerged in a field of fine, sparkling granular particles. A vibrant stream of blue, particle-laden fluid traverses a transparent central channel

Parameters

  • Total Funds Drained → $1.8 Million – The value of the 1.79 million MIM tokens stolen from the deprecated Cauldron V4 contracts.
  • Affected Asset → 1.79 Million MIM – The exact amount of the Magic Internet Money stablecoin that was unauthorizedly minted and drained.
  • Vulnerable Contract State → Deprecated V4 Cauldron – The specific, older smart contract version on Ethereum Mainnet that contained the exploitable logic flaw.
  • Attack Vector Root Cause → CookStatus Reset Logic – The shared state variable in the cook() multi-action function that was reset, bypassing the solvency check.

A luminous, translucent blue-grey amorphous structure elegantly envelops a vibrant, solid blue sphere, set against a subtle gradient background. The flowing, organic forms create a sense of depth and protection around the central element

Outlook

Protocols must immediately implement a rigorous decommissioning policy to ensure all deprecated smart contracts are fully deactivated, ideally by revoking all permissions or migrating all remaining liquidity. This incident reinforces the principle that code, once deployed, is an immutable liability if not properly secured or sunsetted. Users of similar multi-action DeFi protocols should verify that all associated contracts, especially older versions, have been formally audited and are not exposed to state-reset vulnerabilities. The DAO’s treasury buyback is a necessary, short-term stabilization measure, but it is not a sustainable security practice.

A detailed close-up presents a sophisticated, multi-layered metallic mechanism, featuring vibrant blue and silver components with intricate grooves, partially obscured by a translucent, effervescent blue surface teeming with countless tiny bubbles. The foreground's bubbly texture contrasts with the precise engineering of the hidden structure

Verdict

The exploit of an active, deprecated smart contract highlights the systemic risk of poor code lifecycle management, affirming that any un-sunsetted contract is an open vulnerability for the entire protocol.

smart contract vulnerability, logic error, solvency check bypass, deprecated code risk, under-collateralized borrowing, multi-action function, DeFi lending protocol, stablecoin peg risk, on-chain forensics, treasury buyback, Ethereum mainnet, code audit failure, recursive borrowing, lending pool exploit, collateral verification failure, flash loan attack vector, smart contract audit, security posture, risk mitigation, asset protection, decentralized autonomous organization, DAO governance, token stability, market impact, MIM stablecoin, Ethereum blockchain, contract decommissioning, code security, systemic risk, attack vector analysis, incident response, on-chain data, forensic analysis. Signal Acquired from → medium.com

Micro Crypto News Feeds

lifecycle management

Definition ∞ Lifecycle Management pertains to the comprehensive oversight of an asset or product from its initial conception through its operational existence and eventual retirement.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

collateral

Definition ∞ Collateral refers to an asset pledged by a borrower to a lender as security for a loan.

stablecoin

Definition ∞ A stablecoin is a type of cryptocurrency designed to maintain a stable value relative to a specific asset, such as a fiat currency or a commodity.

ethereum mainnet

Definition ∞ Ethereum Mainnet is the principal, operational blockchain network where all verified Ethereum transactions and smart contract code executions occur.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

security

Definition ∞ Security refers to the measures and protocols designed to protect assets, networks, and data from unauthorized access, theft, or damage.

systemic risk

Definition ∞ Systemic risk refers to the danger that the failure of one component within a financial system could trigger a cascade of failures across the entire network.

Tags:

Tags: