Abracadabra loses $1.8 million in protocol's third major DeFi hack since 2024
Quick Take
- A hacker stole nearly $1.8 million worth of DeFi lending protocol Abracadabra’s decentralized stablecoin Magic Internet Money.
- The attacker manipulated a solvency check flaw in one of the protocol’s functions to borrow more tokens than collateral allowed.
- The attack is the third major hack that Abracadabra has suffered since the start of 2024, with over $21 million in total losses over the three incidents.
- Abracadabra said it would buy back the stolen stablecoins using DAO treasury funds, and that no user funds were affected.
Abracadabra, a DeFi lending protocol which also issues the decentralized Magic Internet Money (MIM) stablecoin, lost nearly $1.8 million worth of MIM after an attacker exploited a flaw in one of the protocol's functions.
In the attack, which occurred late Saturday night, an unknown threat actor leveraged a smart contract vulnerability to bypass solvency checks, allowing them to extract 1.79 million MIM from the protocol, according to security firm BlockSec Phalcon. The attack wallet's initial funding came from mixing protocol Tornado Cash; following the attack, the attacker swapped the tokens for ETH and sent it back to Tornado.
"A potential attack vector was identified today in some deprecated contracts. The issue has been mitigated and closed," DAO contributor 0xMerlin wrote on the protocol's Discord server. "The affected MIM (although minimal) was bought back from the market using the DAO treasury and is currently awaiting repayment to the DAO treasury in ETH...No user funds have been affected."
MIM currently has a circulating supply of nearly 44 million tokens, according to Abracadabra's data, with most of the tokens trading on Ethereum and its Layer 2 network Arbitrum. The protocol has a total value locked (TVL) figure of $154 million.
The attack marks the third major security incident for the lending protocol. Abracadabra lost $6.4 million to a smart contract hack that also managed to bypass insolvency checks in January 2024, and a hacker stole $13 million worth of MIM in March 2025 with a seven-step flash loan attack. Altogether, the protocol has lost over $21 million in funds since 2024 to exploits.
0xMerlin also said the Abracadabra team is reviewing internal processes in order to strengthen the protocol and prevent similar issues from arising in the future. Abracadabra could not be immediately reached for comment by The Block, and the team has not yet issued a public-facing statement.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
