A Familiar DeFi Nightmare
Abracadabra, the DeFi lending protocol behind the Magic Internet Money (MIM) stablecoin, was struck late Saturday night by yet another attack — its third major exploit since 2024. According to BlockSec Phalcon, the hacker exploited a smart contract vulnerability that allowed them to bypass solvency checks, siphoning off 1.79 million MIM in the process.
The attacker’s wallet was initially funded via Tornado Cash, the notorious Ethereum mixer frequently used to obscure transaction trails. After draining the funds, the hacker swapped the stolen MIM for ETH and promptly sent the proceeds back through Tornado Cash, effectively erasing the money trail.
A DAO contributor known as “0xMerlin” confirmed the incident in the project’s Discord server, saying:
Team Moves Fast to Contain the Damage
According to 0xMerlin, no user funds were affected, and the lost MIM has already been bought back from the market using the DAO’s treasury. The replacement funds are being held in ETH, awaiting repayment to replenish the treasury.
Despite this swift response, the hack raises renewed concerns about the security of DeFi protocols still running older smart contracts. With roughly 44 million MIM in circulation, most of which trade on Ethereum and Arbitrum, the loss may be small in proportion — but symbolically, it’s another blow to confidence.
The platform currently boasts a Total Value Locked (TVL) of $154 million, meaning the exploit represents just over 1% of its assets. However, given Abracadabra’s troubled history with similar exploits, the reputational damage may be far greater.
Тhird Major Exploit in 18 Months
This incident marks the third significant breach for Abracadabra in less than two years.
- In January 2024, the protocol suffered a $6.4 million hack that also leveraged a solvency bypass.
- In March 2025, a seven-step flash loan attack drained $13 million in MIM.
Combined with the latest breach, Abracadabra’s total losses now exceed $21 million, making it one of the most frequently targeted DeFi projects since 2024.
Security analysts say the pattern suggests systemic weaknesses within the protocol’s smart contract architecture. While Abracadabra has repeatedly vowed to strengthen its infrastructure, the latest attack indicates those measures are still insufficient.
A DAO Under Pressure
Following the latest exploit, Abracadabra’s DAO has pledged to review internal processes and update its security standards. The team has not yet issued a public-facing statement, but members on Discord expressed frustration at the repeated breaches.
Analysts have also pointed out that Abracadabra’s reliance on older codebases may continue to leave it exposed. Despite upgrades, DeFi’s composability — where protocols build on one another’s smart contracts — can make vulnerabilities difficult to isolate or patch.
Lessons for the DeFi World
While $1.8 million may seem minor compared to previous DeFi mega-hacks, Abracadabra’s latest breach underscores how persistent security lapses can erode trust in decentralized finance. As projects race to innovate, robust auditing and contract deprecation remain crucial defenses against repeat attacks.
The Abracadabra DAO says it will publish a full post-mortem once investigations are complete. Until then, investors and users remain wary of whether the platform’s “magic” can ever truly be restored.