Abracadabra Money $1.8M Exploit - Logic Flaw Bypasses Solvency

TLDR

On October 4, 2025, Abracadabra Money suffered its third major security breach in under two years, losing approximately $1.8 million worth of MIM tokens through a critical logic flaw in the protocol's CauldronV4 contracts. The vulnerability allowed an attacker to bypass solvency checks and borrow Magic Internet Money without providing any collateral, exploiting six deprecated but still-active Cauldron instances on Ethereum mainnet.

Attack Overview

The exploit targeted Abracadabra's multi-action batching mechanism, specifically the cook() function that allows users to chain multiple operations into a single transaction. The attacker discovered that by calling Action 5 (borrow) followed immediately by Action 0 (a virtual hook with no implementation), they could reset the needsSolvencyCheck flag and walk away with unbacked loans totaling 1,793,755 MIM tokens.

The attack sequence was simple but devastating. Borrow MIM through Action 5, which sets the solvency check flag to true. Then invoke Action 0, which calls an empty virtual function that returns a default-initialized CookStatus struct with all boolean flags set to false. The end-of-transaction solvency verification never executes, and the borrowed funds require no collateral whatsoever.

The targeted contracts were labeled "deprecated" but remained fully operational and accessible, having received no security audit since November 2023 despite the protocol launching new features and suffering two previous exploits during that period.

Technical Analysis

The CauldronV4 contracts implement a cook() function designed for operational efficiency, allowing users to batch deposits, borrows, and repayments into atomic transactions. Each action receives an integer identifier and processes sequentially while updating a shared CookStatus struct that tracks critical security flags.

Action 5 handles borrowing and correctly sets the solvency check requirement.

After processing all actions, the function performs a final validation.

The vulnerability exists in how unknown action codes delegate to a virtual helper function.

This function returns a completely fresh CookStatus instance with all security flags disabled. When Action 0 executes, it overwrites the existing status struct with this default-initialized version, silently clearing the needsSolvencyCheck flag that Action 5 had just set.

The attacker's transaction demonstrates the exploit pattern across multiple Cauldrons.

Action 5 borrows the maximum available MIM and sets needsSolvencyCheck = true. Action 0 immediately calls _additionalCookAction(), which returns CookStatus(false) and overwrites the solvency requirement. The transaction completes without collateral verification, minting unbacked stablecoins directly into the attacker's wallet.

Code Vulnerability

The fundamental issue lies in the base implementation of the virtual hook.

Rather than preserving or merging the existing CookStatus flags, this function unconditionally returns a new struct with all security checks disabled. The virtual keyword suggests this was intended to be overridden in derived contracts, but the vulnerable Cauldron implementations never provided that override, leaving the dangerous default behavior active in production.

A safe implementation would preserve critical flags.

Or explicitly merge any new flags.

The deprecated status of these Cauldrons compounded the risk. While the team audited new features like GMXV2 CauldronV4 (November 2023), LockingMultiRewards (February 2024), MIMSwap (March 2024), and BoundSpell (December 2024), the foundational CauldronV4 logic handling Ethereum mainnet borrows received no recent security review. Production contracts carrying actual user funds remained unexamined while development resources focused on expansion.

Impact Assessment

The attacker executed the exploit across six Cauldron contracts, systematically draining available liquidity.

• 0x46f54d434063e5F1a2b2CC6d9AAa657b1B9ff82c
• 0x289424aDD4A1A503870EB475FD8bF1D586b134ED
• 0xce450a23378859fB5157F4C4cCCAf48faA30865B
• 0x40d95C4b34127CF43438a963e7C066156C5b87a3
• 0x6bcd99D6009ac1666b58CB68fB4A50385945CDA2
• 0xC6D3b82f9774Db8F92095b5e4352a8bB8B0dC20d

The attack transaction minted 1,793,755 MIM tokens without collateral, representing approximately $1.8 million at the stablecoin's dollar peg. The attacker immediately converted the stolen MIM through established DeFi liquidity pools, swapping to DAI, then USDC, then WETH, and finally native ETH, ultimately securing roughly 395 ETH in proceeds.

Funds flowed through the shared DegenBox vault at 0xd96f48665a1410c0cd669a88898eca36b9fc2cce, which holds collateral and borrowed assets across all Cauldron instances. The unbacked MIM withdrawal effectively diluted the protocol's reserves, creating a systemic undercollateralization that required immediate intervention.

Abracadabra's DAO treasury executed a buyback operation to absorb the market impact, purchasing the dumped MIM from secondary markets and claiming full mitigation of the attack's effects. The protocol maintains that no user deposits were directly affected, framing the $1.8 million loss as an internal treasury expense rather than customer funds.

This incident marks Abracadabra's third exploit since January 2024. The protocol lost $6.5 million in January 2024, another $13 million in March 2025, and now $1.8 million in October 2025, bringing cumulative losses to over $21 million while the protocol continues planning future deployments on a codebase that has demonstrated repeated security failures.

Response and Recovery

The team paused all Cauldron borrowing operations within hours of the exploit, citing the need to "review the current codebase for future upcoming deployments." The phrasing suggests continued expansion plans despite three major breaches in rapid succession.

The protocol's official response emphasized "no user funds lost" and "relatively small impact," positioning a $1.8 million theft and third exploit in two years as minor operational issues. DAO treasury buybacks absorbed the stolen MIM from secondary markets, preventing significant stablecoin depeg but consuming stakeholder capital that could have funded comprehensive security audits or proper contract deprecation procedures.

Notably, warning signs were publicly visible before the attack. Synnax Labs, running a forked version of Abracadabra's codebase on the SEI chain, paused their contracts three days before the exploit after identifying the vulnerability. PeckShield had previously audited Synnax in November 2024 and missed the critical flaw entirely. When the same vulnerability was exploited on Abracadabra, PeckShield deleted their Synnax audit report from GitHub eighteen hours before the attack, later issuing a refund to Synnax after the audit failure became public.

The sequence of events raises questions about coordination and disclosure. A fork protocol pauses contracts due to a critical vulnerability, an audit firm quietly deletes evidence of missing that vulnerability, and the original protocol's deprecated-but-active contracts remain exposed until exploitation. The time gap between Synnax's pause and Abracadabra's exploit provided a window for responsible disclosure that apparently never occurred.

Abracadabra's response notably arrived through Discord contributor 0xMerlin rather than official channels, and the public Twitter announcement came two days after the incident. The protocol maintains $154 million in total value locked and continues development efforts, but three exploits in under two years targeting different vulnerability classes suggests systemic security process failures rather than isolated code bugs.