Abracadabra, a decentralized finance (DeFi) lending protocol, has suffered a significant loss of approximately $1.8 million due to an exploit in its batch function. According to analysts at Hacken, a blockchain security firm, the attacker took advantage of a simple logic error to drain six Cauldrons at once, then swapped the stolen Magic Internet Money (MIM) for Ethereum (ETH) and laundered the funds through Tornado Cash.
Understanding the Exploit
The exploit occurred due to a flaw in Abracadabra’s Cook() function, which allows users to perform multiple actions in a single transaction. The attacker was able to bypass a security flag designed to verify that borrowers had enough collateral, enabling them to take out loans without depositing collateral. This was achieved by calling the “Borrow” action and then the “_additionalCookAction()” function, which reset the “needsSolvencyCheck” flag, allowing the attacker to avoid the solvency check.
The attacker targeted six Cauldrons, capturing approximately 1.79 million MIM and exchanging it for ETH. The stolen funds were then routed through Tornado Cash, a cryptocurrency mixing protocol, in increments of 10 ETH at a time. The funds were gradually sent out the next day, making it difficult to track the attacker’s movements.
Previous Incidents and Code Vulnerabilities
This is not the first time Abracadabra’s code has been targeted. Earlier this year, the protocol’s CauldronV4 code was exploited using different edge cases in the same contract family. The recent incident highlights the importance of addressing vulnerabilities and implementing robust security measures to prevent such exploits. Interestingly, a fork of Abracadabra, called Synnax, had paused or dewhitelisted its CauldronV4 master on its own DegenBox days before the Abracadabra drain, suggesting that the risk was visible to teams observing the code.
Abracadabra’s incident serves as a reminder of the importance of code security and the need for continuous monitoring and testing to identify vulnerabilities. The protocol’s use of a batch function, while convenient for users, also introduces additional risks that must be carefully managed. As the DeFi space continues to evolve, it is essential for protocols to prioritize security and implement robust measures to protect user funds.
For more information on the Abracadabra exploit and the importance of code security in DeFi, visit https://crypto.news/abracadabra-1-8m-hack-repeats-earlier-fork-flaw/.
