The decentralized finance (DeFi) community was once again rattled by a significant security breach targeting Magic Internet Money (MIM), a USD-pegged stablecoin issued by the Abracadabra protocol. According to an in-depth analysis by CertiK, a blockchain security firm, the exploit resulted in the loss of 6,261.13 ETH, valued at approximately $12.9 million.
The incident, centered on the Arbitrum blockchain, exposed a critical vulnerability in the integration of MIM’s RouterOrder and Cauldron contracts, offering yet another reminder of the risks inherent in decentralized finance or DeFi systems.
CertiK’s investigation has reportedly pinpointed the root cause: a flaw in how the RouterOrder contract processed orders via the GMX V2 protocol.
The attacker exploited this by crafting a malicious order that allowed them to borrow ETH against a collateral of zero value—an oversight stemming from inadequate validation checks.
Normally, the Cauldron contract, which manages lending and borrowing in Abracadabra, relies on collateral to secure loans.
However, the integration with RouterOrder failed to enforce this, enabling the attacker to drain funds from two specific Cauldrons (V4 ETH and V4 GLP).
The stolen ETH was swiftly bridged to the Ethereum mainnet via Stargate, complicating recovery efforts.
The exploit began with the attacker funding their wallet with 0.25 ETH from Tornado Cash, a privacy tool often linked to illicit activities.
Using this small seed, they executed the attack across multiple transactions, targeting liquidity hubs on Arbitrum.
Posts on social media from various users like @WatcherOracle and @CryptoIndiaMag noted that while the MIM lending protocols were hit, the broader GMX ecosystem remained unaffected, underscoring the attack’s precision.
CertiK’s timeline reveals the breach unfolded rapidly, with the stolen funds moved off-chain within hours.
Abracadabra’s response was immediate but fairly limited. The team reduced borrowing limits on the affected Cauldrons to zero, effectively halting further losses.
However, the damage was done, and the incident reignited debates about DeFi security.
CertiK emphasized that the vulnerability could have been mitigated with stricter input validation and testing of contract integrations—standard practices that might have caught the flaw pre-deployment.
This $12.9 million exploit joins a growing list of DeFi incidents in 2025, highlighting the trade-off between innovation and security in decentralized systems.
For MIM and its users, it’s a costly lesson: even stablecoins, designed for reliability, aren’t immune (as we have seen with many other protocols) to the pitfalls of so-called smart contracts.
As the industry evolves, robust auditing and proactive safeguards remain critical to protecting user funds.