Hack Explained - Abracadabra

Hack Explained - Abracadabra

Rivanorth's photo
Rivanorth
·

2 min read

Abracadabra.money is a decentralised finance (DeFi) platform that specialises in crypto lending. It allows users to use interest-bearing tokens as collateral to borrow the omnistablecoin MIM. The platform leverages its native SPELL token for collateralised stablecoin loans. On January 31st, following a $6.5M hack, the MIM stablecoin fell from peg causing ecosystem-wide repercussions.

Behind the Breach

The root cause of the exploit was due to a rounding issue in the CauldronV4 code.
The CauldronV4 contracts' borrow feature was susceptible to exploitation through the manipulation of the part parameter (the user's proportion of the overall debt). This vulnerability could be exploited by repeatedly borrowing and repaying an asset, thereby leveraging the rounding error.

The exploited CauldronV4 contracts:

0x7259e152103756e1616A77Ae982353c3751A6a90

0x692887E8877C6Dd31593cda44c382DB5b289B684

How the hack unfolded:

  1. A Flashloan for MIM tokens was executed.

  2. The MIM tokens were donated to BentoBox by depositing them into BentoBox, designating BentoBox itself as the recipient.

  3. Repayments were made for all other users by using the repayForAll() function. However, ensuring the repayment was incomplete, maintaining the elastic value after repayment above the threshold of 1000 * 1e18.

  4. A cycle of borrowing and repaying was initiated to artificially increase the share price.

  5. The collateral was increased and then a substantial amount of MIM tokens were borrowed.

  6. The flashloan was repaid and the stolen assets were taken.

The Aftermath

The Abracadabra team have commenced an initiative to reach out to the attacker on-chain to try and negotiate for some funds to be returned.

Funds are currently in the following two addresses:

0x40d5FFA20fC0dF6bE4D9991938dAa54E6919c714

0xbD12D6054827ae3fc6D23B1aCf47736691b52Fd3

Time will tell if the team will be successful in recovering any of the stolen $6.5M.

Rivanorth is a global boutique Web3 cybersecurity company. We specialise in smart contract audits and blockchain security advisory. Visit rivanorth.com to find out more.

You build the future. We help you secure it.

defi securitySecuritydefiDefi hackshacksecurity breach#cybersecurityethereum smart contractsEthereumCryptocurrencycrypto