Hack Explained - Abracadabra

Hack Explained - Abracadabra


2 min read

Abracadabra.money is a decentralised finance (DeFi) platform that specialises in crypto lending. It allows users to use interest-bearing tokens as collateral to borrow the omnistablecoin MIM. The platform leverages its native SPELL token for collateralised stablecoin loans. On January 31st, following a $6.5M hack, the MIM stablecoin fell from peg causing ecosystem-wide repercussions.

Behind the Breach

The root cause of the exploit was due to a rounding issue in the CauldronV4 code.
The CauldronV4 contracts' borrow feature was susceptible to exploitation through the manipulation of the part parameter (the user's proportion of the overall debt). This vulnerability could be exploited by repeatedly borrowing and repaying an asset, thereby leveraging the rounding error.

The exploited CauldronV4 contracts:



How the hack unfolded:

  1. A Flashloan for MIM tokens was executed.

  2. The MIM tokens were donated to BentoBox by depositing them into BentoBox, designating BentoBox itself as the recipient.

  3. Repayments were made for all other users by using the repayForAll() function. However, ensuring the repayment was incomplete, maintaining the elastic value after repayment above the threshold of 1000 * 1e18.

  4. A cycle of borrowing and repaying was initiated to artificially increase the share price.

  5. The collateral was increased and then a substantial amount of MIM tokens were borrowed.

  6. The flashloan was repaid and the stolen assets were taken.

The Aftermath

The Abracadabra team have commenced an initiative to reach out to the attacker on-chain to try and negotiate for some funds to be returned.

Funds are currently in the following two addresses:



Time will tell if the team will be successful in recovering any of the stolen $6.5M.

Rivanorth is a global boutique Web3 cybersecurity company. We specialise in smart contract audits and blockchain security advisory. Visit rivanorth.com to find out more.

You build the future. We help you secure it.