On October 4, 2025, the Abracadabra protocol faced a significant exploit in its Cauldron V4 contracts, resulting in the theft of around 1,793,766 MIM (~$1.8M). The attack exploited a logic flaw in the cook() multi-action function. Specifically, Action 5 (borrow) required a solvency check, but Action 0 reset the status, bypassing the check and enabling under-collateralized borrowing.
Although the Cauldron V4 contracts were deprecated, they remained active and unaudited, leaving the protocol vulnerable. The attacker repeatedly alternated between actions to drain funds, which were later converted to ETH via Curve and Uniswap and obfuscated through Tornado Cash.
How the Exploit Worked
The vulnerability stemmed from the cook() function’s handling of the shared CookStatus struct. When Action 5 triggered borrowing, it set needsSolvencyCheck = true. However, Action 0, executed through _additionalCookAction(), reset the struct entirely, effectively bypassing collateral verification.
This simple yet critical logic error enabled the attacker to repeatedly borrow without proper collateral, leading to a loss of $1.8M.
Immediate Mitigation
Abracadabra’s team paused all borrowing from the affected Cauldrons and performed a DAO treasury buyback of the dumped MIM to neutralize market impact. Fortunately, no user funds were affected, and the protocol’s overall TVL ($154M) remained intact.
Curious to know more?
We have a detailed blog on the exploit — The Abracadabra Hack
Key Takeaways
- Deprecated contracts should be deactivated or regularly audited.
- Multi-action functions must handle status resets carefully.
- Swift response and buybacks can help mitigate market effects post-exploit.
The Abracadabra hack serves as a stark reminder that even minor logic flaws can cost millions in DeFi protocols.
Top comments (0)