Security

Abracadabra Protocol Drained $1.8 Million Exploiting Deprecated Contract Logic Flaw

A multi-action smart contract logic error in a deprecated lending pool allowed an attacker to repeatedly bypass the solvency check, draining $1.8M in MIM.
November 20, 20254 min

The image presents a striking close-up of a crumpled, translucent object filled with a vibrant blue liquid, adorned with numerous white bubbles. A distinct metallic silver ring is integrated into the left side of the object, all set against a soft, light gray background
A snow-covered mass, resembling an iceberg, floats in serene blue water, hosting a textured white sphere and interacting with a metallic, faceted object. From this interaction, a vivid blue liquid cascades into the water, creating white splashes

Briefing

The Abracadabra decentralized lending protocol suffered a $1.8 million exploit on its Ethereum-based Cauldron V4 contracts, which were deprecated but remained active. The primary consequence was the unauthorized minting and subsequent draining of 1.79 million Magic Internet Money (MIM) stablecoins, which the protocol’s DAO treasury was forced to buy back to stabilize the asset’s peg. The core vulnerability was a critical logic error within the cook() multi-action function that allowed the attacker to repeatedly bypass the mandatory collateral solvency check. This incident represents a significant financial loss for the protocol’s treasury and underscores a fundamental failure in code lifecycle management.

A close-up view reveals a transparent, multi-chambered mechanism containing distinct white granular material actively moving over a textured blue base. The white substance appears agitated and flowing, guided by the clear structural elements, with a circular metallic component visible within the blue substrate

Context

This incident follows a pattern of recurring security lapses for the protocol, which had previously suffered over $19 million in losses from similar smart contract exploits in 2024 and 2025. The prevailing attack surface was the continued operational status of deprecated smart contracts, which often receive less security scrutiny and are not subject to the same strict access controls or code updates as active, audited versions. The failure to fully deactivate or sunset old contract versions created an unnecessary and high-value attack vector.

The image displays a 3D rendering of a complex molecular structure, predominantly in translucent blue. It features numerous spherical nodes connected by rod-like links, with a central, irregular, liquid-like mass dynamically forming

Analysis

The attack leveraged a flaw in the cook() function, which processes multiple operations within a single transaction using a shared CookStatus struct. The attacker initiated a borrowing action (Action 5), which correctly set the needsSolvencyCheck flag to true. Crucially, they immediately followed this with a different action (Action 0) that was implemented to reset the shared struct to its default state.

This reset inadvertently cleared the needsSolvencyCheck flag to false, effectively nullifying the collateral requirement and enabling the attacker to repeatedly borrow MIM without sufficient backing, thus draining the $1.8 million. The attacker converted the stolen MIM to ETH and laundered the funds through Tornado Cash.

A detailed, angled perspective showcases a futuristic device featuring two polished, circular metallic buttons integrated into a translucent, textured casing. Beneath the clear surface, intricate blue patterns flow dynamically, suggesting internal processes or energy conduits

Parameters

  • Total Funds Drained → $1.8 Million – The value of the 1.79 million MIM tokens stolen from the deprecated Cauldron V4 contracts.
  • Affected Asset → 1.79 Million MIM – The exact amount of the Magic Internet Money stablecoin that was unauthorizedly minted and drained.
  • Vulnerable Contract State → Deprecated V4 Cauldron – The specific, older smart contract version on Ethereum Mainnet that contained the exploitable logic flaw.
  • Attack Vector Root Cause → CookStatus Reset Logic – The shared state variable in the cook() multi-action function that was reset, bypassing the solvency check.

A detailed, close-up view shows a light blue, textured surface forming a deep, circular indentation. A spherical object resembling a full moon floats centrally above this void, symbolizing a digital asset experiencing significant price action or 'mooning' within the DeFi landscape

Outlook

Protocols must immediately implement a rigorous decommissioning policy to ensure all deprecated smart contracts are fully deactivated, ideally by revoking all permissions or migrating all remaining liquidity. This incident reinforces the principle that code, once deployed, is an immutable liability if not properly secured or sunsetted. Users of similar multi-action DeFi protocols should verify that all associated contracts, especially older versions, have been formally audited and are not exposed to state-reset vulnerabilities. The DAO’s treasury buyback is a necessary, short-term stabilization measure, but it is not a sustainable security practice.

A striking close-up reveals a central metallic, modular structure with four transparent blue arms extending in an 'X' shape. These arms are encrusted with fine, light blue granular particles, flowing outwards from the core into a broader, frosted blue background

Verdict

The exploit of an active, deprecated smart contract highlights the systemic risk of poor code lifecycle management, affirming that any un-sunsetted contract is an open vulnerability for the entire protocol.

smart contract vulnerability, logic error, solvency check bypass, deprecated code risk, under-collateralized borrowing, multi-action function, DeFi lending protocol, stablecoin peg risk, on-chain forensics, treasury buyback, Ethereum mainnet, code audit failure, recursive borrowing, lending pool exploit, collateral verification failure, flash loan attack vector, smart contract audit, security posture, risk mitigation, asset protection, decentralized autonomous organization, DAO governance, token stability, market impact, MIM stablecoin, Ethereum blockchain, contract decommissioning, code security, systemic risk, attack vector analysis, incident response, on-chain data, forensic analysis. Signal Acquired from → medium.com

Micro Crypto News Feeds

lifecycle management

Definition ∞ Lifecycle Management pertains to the comprehensive oversight of an asset or product from its initial conception through its operational existence and eventual retirement.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

collateral

Definition ∞ Collateral refers to an asset pledged by a borrower to a lender as security for a loan.

stablecoin

Definition ∞ A stablecoin is a type of cryptocurrency designed to maintain a stable value relative to a specific asset, such as a fiat currency or a commodity.

ethereum mainnet

Definition ∞ Ethereum Mainnet is the principal, operational blockchain network where all verified Ethereum transactions and smart contract code executions occur.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

security

Definition ∞ Security refers to the measures and protocols designed to protect assets, networks, and data from unauthorized access, theft, or damage.

systemic risk

Definition ∞ Systemic risk refers to the danger that the failure of one component within a financial system could trigger a cascade of failures across the entire network.

Tags:

Tags: