Abracadabra loses $1.8 million in protocol's third major DeFi hack since 2024

Abracadabra, a DeFi lending protocol which also issues the decentralized Magic Internet Money (MIM) stablecoin, lost nearly $1.8 million worth of MIM after an attacker exploited a flaw in one of the protocol's functions. 

In the attack, which occurred late Saturday night, an unknown threat actor leveraged a smart contract vulnerability to bypass solvency checks, allowing them to extract 1.79 million MIM from the protocol, according to security firm BlockSec Phalcon . The attack wallet's initial funding came from mixing protocol Tornado Cash; following the attack, the attacker swapped the tokens for ETH and sent it back to Tornado. 

"A potential attack vector was identified today in some deprecated contracts. The issue has been mitigated and closed," DAO contributor 0xMerlin wrote on the protocol's Discord server . "The affected MIM (although minimal) was bought back from the market using the DAO treasury and is currently awaiting repayment to the DAO treasury in ETH...No user funds have been affected." 

MIM currently has a circulating supply of nearly 44 million tokens, according to Abracadabra's data , with most of the tokens trading on Ethereum and its Layer 2 network Arbitrum. The protocol has a total value locked (TVL) figure of $154 million. 

The attack marks the third major security incident for the lending protocol. Abracadabra lost $6.4 million to a smart contract hack that also managed to bypass insolvency checks in January 2024, and a hacker stole $13 million worth of MIM in March 2025 with a seven-step flash loan attack. Altogether, the protocol has lost over $21 million in funds since 2024 to exploits. 

0xMerlin also said the Abracadabra team is reviewing internal processes in order to strengthen the protocol and prevent similar issues from arising in the future. Abracadabra could not be immediately reached for comment by The Block, and the team has not yet issued a public-facing statement.