{"id":89612,"date":"2025-10-06T10:13:39","date_gmt":"2025-10-06T07:13:39","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=89612"},"modified":"2025-10-06T10:15:12","modified_gmt":"2025-10-06T07:15:12","slug":"hackers-breach-defi-protocol-abracadabra-for-1-8-million","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/hackers-breach-defi-protocol-abracadabra-for-1-8-million\/","title":{"rendered":"Hackers Breach DeFi Protocol Abracadabra for $1.8 Million"},"content":{"rendered":"<p>A hacking incident resulted in the loss of nearly $1.8 million in MIM stablecoins from the <a href=\"https:\/\/forklog.com\/en\/news\/what-is-decentralised-finance-defi\">DeFi<\/a> project Abracadabra Finance.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">.<a href=\"https:\/\/twitter.com\/MIM_Spell?ref_src=twsrc%5Etfw\">@MIM_Spell<\/a> was attacked hours ago, resulting in a loss of ~$1.7M. The root cause stems from the flawed implementation logic of the cook function, which allows users to execute multiple predefined operations in a single transaction. Specifically, the actions share a common\u2026 <a href=\"https:\/\/t.co\/4tQzkRbwcT\">pic.twitter.com\/4tQzkRbwcT<\/a><\/p>\n<p>\u2014 BlockSec Phalcon (@Phalcon_xyz) <a href=\"https:\/\/twitter.com\/Phalcon_xyz\/status\/1974533451408986417?ref_src=twsrc%5Etfw\">October 4, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>This marks the third breach for the platform.<\/p>\n<p>According to BlockSec Phalcon, the attacker exploited a vulnerability in the smart contract, bypassing the solvency check. The attack address received initial funding through <a href=\"https:\/\/forklog.com\/en\/news\/what-is-the-tornado-cash-mixer-and-why-was-it-sanctioned\">Tornado Cash<\/a>. Following the breach, the hacker <a href=\"https:\/\/etherscan.io\/address\/0x1aaade3e9062d124b7deb0ed6ddc7055efa7354d\">exchanged<\/a> the stolen tokens for ETH and sent them back to the mixer.<\/p>\n<p>A representative of <a href=\"https:\/\/forklog.com\/en\/news\/what-is-a-dao-decentralised-autonomous-organisation\">DAO<\/a> Abracadabra, known as 0xMerlin, <a href=\"https:\/\/discord.com\/channels\/847767926286319646\/847767926286319649\/1424060993096519733\">stated<\/a> that the attack vector was found in outdated contracts. He noted that the issue has been resolved. The lost MIM was repurchased from the market by the decentralized organization. He emphasized that user funds were not affected.<\/p>\n<p>0xMerlin added that the team is reviewing internal processes to enhance security. At the time of writing, the protocol had not issued an official public statement.<\/p>\n<p>Back in 2024, Abracadabra <a href=\"https:\/\/forklog.com\/en\/news\/abracadabra-project-loses-6-5-million-in-exploit\">lost<\/a> $6.5 million.<\/p>\n<p>In March 2025, a hacker <a href=\"https:\/\/forklog.com\/en\/news\/abracadabra-finance-protocol-suffers-13-million-hack\">stole<\/a> approximately $13 million from the project&#8217;s pools.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A hacking incident resulted in the loss of nearly $1.8 million in MIM stablecoins from the DeFi project Abracadabra Finance.<\/p>\n","protected":false},"author":1,"featured_media":89613,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"Abracadabra Finance lost nearly $1.8 million in MIM stablecoins due to a hack.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44,1093],"class_list":["post-89612","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime","tag-defi"],"aioseo_notices":[],"amp_enabled":true,"views":"256","promo_type":"1","layout_type":"1","short_excerpt":"Abracadabra Finance lost nearly $1.8 million in MIM stablecoins due to a hack.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/89612","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=89612"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/89612\/revisions"}],"predecessor-version":[{"id":89614,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/89612\/revisions\/89614"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/89613"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=89612"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=89612"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=89612"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}