Abracadabra Hack (October)

On October 2025, Abracadabra Money, the DeFi lending protocol behind the Magic Internet Money (MIM) stablecoin, suffered another exploit costing about $1.8 million, its third major incident after a January 2024 loss and a March 2025 GMX V2 Cauldron exploit. Per Halborn, the attacker abused a flaw in how a Cauldron contract managed internal state across multiple actions within a single transaction, allowing them to borrow far more than their collateral should have permitted before repaying the flash-funded position. Abracadabra paused affected markets and coordinated with security partners. While modest in size next to the protocol’s earlier losses, the repeat nature of the incident highlighted the difficulty of fully hardening complex, composable lending logic and reinforced calls for invariant testing, intermediate solvency checks, and conservative state handling in multi-step transactions.