Abracadabra, the DeFi lending platform behind the Magic Internet Money (MIM) stablecoin, suffered its third major exploit in two years, losing approximately $1.7 million in MIM tokens. This latest DeFi breach follows a string of major crypto exploits, including the SBI Crypto $21M North Korea-linked hack that targeted mining infrastructure just weeks earlier.
Imagine you lend your friend 10 chocolates and expect 10 back. Now imagine your friend finds a secret trick in your lending rulebook that lets them take 100 chocolates instead, and the system never checks if they actually had any to borrow against. Blockchain investigators from Go Security and Phalcon identified the flaw in the platform’s “cook” function, a critical component that processes multiple user actions in a single transaction.
.@MIM_Spell was attacked hours ago, resulting in a loss of ~$1.7M. The root cause stems from the flawed implementation logic of the cook function, which allows users to execute multiple predefined operations in a single transaction. Specifically, the actions share a common… pic.twitter.com/4tQzkRbwcT
— BlockSec Phalcon (@Phalcon_xyz) October 4, 2025
The vulnerability allowed attackers to bypass solvency checks, repeatedly borrowing funds without proper collateral validation. Roughly 1.79 million MIM were drained across six wallets, with the following laundering through Tornado Cash. The stolen funds were later converted into 344 ETH (around $1.55 million). Soon after, 51 ETH was sent through Tornado Cash, a cryptocurrency mixer used to hide transaction trails.
Here’s the key technical data from GoPlus Security’s alert:
- Attacker Address: 0x1AaaDe3e9062d124B7DeB0eD6DDC7055EFA7354d
- Attack Contract: 0xB8e0A4758Df2954063Ca4ba3d094f2d6EdA9B993 (self-destructed after the exploit)
- Attacked Contract (Degenbox): 0xd96f48665a1410c0cd669a88898eca36b9fc2cce
- Attack Transaction: Etherscan Link
After the breach, Abracadabra’s team confirmed in their Discord community that they would use DAO reserve funds to buy back the affected MIM, promising to stabilise the system.
However, the project’s official X (Twitter) account @MIM_Spell has not been updated since September 9, raising community concerns about transparency and communication.
A History of Repeated Attacks
This isn’t the first time Abracadabra has faced a meltdown:
- January 30, 2024 — A flash loan exploit took advantage of a rounding calculation error in the smart contract, draining $6.5 million and briefly causing MIM to lose its peg to the dollar.
- March 25, 2025 — Another business logic flaw during collateral liquidation led to a $13 million loss, marking its second major attack.
These repeated incidents show that even when DeFi projects fix old vulnerabilities, new loopholes often appear in the logic that governs lending and borrowing.
Why DeFi Keeps Breaking: Bridges, Routers, and DAO Weak Points
DeFi platforms like Abracadabra rely on complex, interconnected smart contracts like Lego blocks connected across multiple blockchains. These bridges, routers, and decentralised autonomous organisations (DAOs) are powerful but fragile.
Each connection point, especially cross-chain bridges, can become a doorway for attackers. They handle large amounts of assets moving between blockchains, which makes them lucrative targets.
According to Chainlink and Halborn Security, the biggest weaknesses include:
- Cross-chain validation gaps (messages not properly verified)
- Multi-contract dependencies that break under unexpected conditions
- Human errors in governance and key management
Increasingly, hackers are not just attacking code; they’re attacking people. Many Q3 2025 breaches were linked to phishing emails, leaked developer keys, and admin panel compromises, rather than direct software flaws.
Q3 2025 Trends: Smarter Code, Riskier Humans
According to CoinTelegraph and CoinTribune, total crypto hack losses fell 37% in Q3 2025, dropping to $78 million. But the improvement came with a twist: fewer code exploits, more wallet thefts.
September alone saw 16 separate million-dollar incidents, mostly involving private key leaks and social engineering. Attackers are now going after DeFi admins and multisig signers instead of just protocol vulnerabilities. So, while DeFi code is improving, the people running it have become the new weak spot. As one security researcher put it: “We fixed the code, but forgot the humans.”
Community and Technical Reactions
While Abracadabra acted fast by pausing contracts and vowing compensation, critics argue this is yet another example of reactive DeFi security fixing after the fact.
Some community developers have proposed:
- Real-time circuit breakers to halt abnormal transactions automatically
- AI-driven anomaly detection to flag unusual borrowing patterns
- Clearer DAO governance separation between decision-making and code execution
The pattern is clear: DeFi’s biggest threat now lies between code and coordination.
When Magic Becomes Mayhem
The Abracadabra hack may look like another DeFi mishap, but it reflects a deeper identity crisis in decentralised finance. Smart contracts may be getting smarter, but people and governance systems remain dangerously underprepared. This isn’t just a one-off coding mistake; it’s a reminder that DeFi’s decentralisation dream still depends on centralised accountability. As major tech players like Samsung’s Coinbase integration and Google Pay’s crypto partnerships redefine digital finance, security will determine which ecosystems thrive — and which collapse under their own code.
