Decentralized lending platform Abracadabra Money has fallen victim to another security breach, losing roughly $1.8 million worth of its Magic Internet Money (MIM) stablecoin in what marks the protocol’s third major exploit since 2024.
According to a blockchain security firm, the attacker exploited a flaw in one of Abracadabra’s smart contract functions late Saturday, manipulating a solvency check to borrow more MIM than their collateral allowed. On-chain data shows the attacker’s wallet was initially funded via Tornado Cash, and after draining the funds, they swapped the stolen MIM for ETH before sending it back through the mixer.
Abracadabra contributor 0xMerlin confirmed the vulnerability in a Discord post, stating that the issue had been “mitigated and closed.” The DAO later bought back the affected tokens using treasury funds.
The exploit follows a pattern of recurring security lapses within the protocol. In January 2024, Abracadabra lost $6.4 million in a similar attack targeting its solvency logic. Another $13 million exploit in March 2025 leveraged a complex flash-loan sequence to drain collateral reserves. Combined, the three incidents have cost the project over $21 million in total losses.
Despite the breach, Abracadabra’s MIM stablecoin, which has a circulating supply of roughly 44 million tokens and operates across Ethereum and Arbitrum, maintained relative stability, trading near its $1 peg. The platform’s total value locked (TVL) currently stands around $154 million, according to DeFiLlama data.
The Abracadabra team said it is reviewing internal procedures to strengthen security and prevent similar exploits in the future. The protocol has not yet issued an official public statement, and representatives did not immediately respond to requests for comment.
