Abracadabra, the decentralised finance lending platform behind the Magic Internet Money stablecoin, has lost about $1.8 million after an attacker exploited a weakness in one of its smart contracts.
The breach occurred late Saturday night, allowing the attacker to bypass solvency checks and withdraw 1.79 million MIM from the protocol.
Security firm BlockSec Phalcon said the attacker used a loophole in a deprecated function to drain the funds before moving them through Tornado Cash.
How did the exploit unfold?
Investigators found that the attacker’s wallet had been funded using Tornado Cash, a privacy-focused protocol often used to obscure digital transactions. After the exploit, the stolen MIM tokens were quickly swapped for ETH and then sent back into Tornado Cash.
This cycle made it harder to trace the movement of the funds and identify the attacker.
Also Read: Crypto Losses Fall To $28.8M In March, Down From $1.5B February Spike, Report
A contributor known as 0xMerlin confirmed the breach in a message to the project’s community on Discord.
He said that the issue was linked to older contracts and had already been contained. “A potential attack vector was identified today in some deprecated contracts. The issue has been mitigated and closed,” he wrote.
He also explained that the affected tokens were repurchased from the market using the DAO’s treasury funds and are now being converted back to ETH to repay the treasury. According to him, no user deposits were lost in the incident.
Details on the protocol and previous hacks
Magic Internet Money, or MIM, has a circulating supply of about 44 million tokens, most of its activity has been on Ethereum and Arbitrum. As of now, Abracadabra holds $154 million total value locked, making it one of the more established DeFi lending platforms in the market.
Still continuing on the trend of security issues for the project, in January 2024, Abrcadabra lost $6.4 million due to a vulnerability in one of its smart contracts that allowed another actor to evade solvency checks.
A few months after its first hack, in March 2025, the platform suffered another hack and $13 million loss following a complex flash loan attack that played out in several steps.
Combined, these breaches have cost the protocol more than $21 million in losses since 2024.
0xMerlin said the team is now reviewing its internal procedures to avoid repeating the same mistakes.
The review will include strengthening the auditing process, updating older code, and improving the platform’s defence against similar threats.
Kraken stops a different kind of hack attempt
In a separate security event, we reported, crypto exchange Kraken reported that it had intercepted an elaborate attempt by a North Korean hacker posing as a employee looking for a job.
The attacker applied for an engineering position at the company and managed to pass through several rounds of interviews.
During the process, Kraken’s internal security team monitored unusual activity linked to the applicant and took steps to confirm their suspicions.
Also Read: Crypto User Suffers Devastating $510,294 Loss After Accidentally Copying Fraudulent Wallet Address