- Popular DeFi protocol Abracadabra was exploited this week in an attack that caused its stablecoin, Magic Internet Money (MIM), to lose its peg. A hacker stole $65 million by exploiting a rounding error bug.
- This exploit comes during a rough January for DeFi, with over $126 million lost across 19 incidents so far. The Abracadabra hack caused MIM to severely deviate from its $1 peg, sparking concerns.
- The incident raises further questions around Abracadabra’s ability to recover given its founder’s controversial reputation and association with previous hacks of Wonderland and Popsicle Finance.
The popular DeFi protocol Abracadabra was exploited this week in an attack that caused its stablecoin, Magic Internet Money (MIM), to lose its peg. This incident is just the latest hack in a troubling start to 2024 for decentralized finance.
A hacker was able to steal at least $65 million in MIM on Ethereum after taking advantage of a rounding error bug in Abracadabra’s Cauldron v4 lending contracts. The attacker repeatedly exploited the bug, which failed to properly synchronize elastic and base debt values when the elastic value was zero.
This allowed the hacker to underestimate their debt and get away with paying back far less than they owed. The stolen MIM was swapped for ETH and transferred to new wallets.
A Costly January
Prior to this exploit, over $126 million had already been lost in January across 19 incidents, according to bug bounty platform Immunefi. This represents a six-fold increase from January 2023.
The biggest incident was the $80 million theft from Orbit Bridge. Hackers targeted Ethereum the most, followed by BNB Chain, Arbitrum, and Solana. As crypto assets grow in value, 2024 is on track to see the largest nominal losses to exploits ever.
Concerns for MIM
The attack caused MIM to deviate severely from its intended $1 peg, falling as low as $0.77 before recovering somewhat. This sparked concerns among MIM holders given the stablecoin’s history of maintaining its peg.
Abracadabra and MIM were created by Daniele Sestagalli, a prominent DeFi figure behind Wonderland and Popsicle Finance as well. However, his reputation suffered due to his association with a controversial Wonderland team member.
Popsicle Finance also suffered a $20 million hack in 2021. While still operating, the protocol has never recovered. This latest exploit raises further questions around Abracadabra’s ability to overcome this obstacle.
In summary, the Abracadabra exploit capped off a rough January for DeFi. The attack took advantage of a rounding error bug that allowed the hacker to get away with stealing millions. This incident, along with the multitude of hacks in January, highlights the urgent need for improved security practices in DeFi.