DeFi lending protocol Abracadabra identified and resolved a smart contract vulnerability Saturday night that resulted in 1.79 million MIM tokens being extracted from deprecated contracts, with the protocol using treasury funds to maintain system stability.
Security firm BlockSec Phalcon documented the technical details of the incident. An address leveraged a function flaw in deprecated contracts to bypass solvency checks, extracting 1.79 million Magic Internet Money tokens from the protocol's smart contracts.
The transaction involved initial funding through Tornado Cash, with the extracted tokens later converted to Ethereum. DAO contributor 0xMerlin addressed users on Abracadabra's Discord server, confirming the issue was identified, mitigated, and closed.
The protocol deployed its DAO treasury to repurchase the affected $MIM from the market. 0xMerlin confirmed no user funds were impacted by the technical issue, with the bought-back tokens awaiting conversion to Ethereum for treasury repayment.
MIM maintains a circulating supply of nearly 44 million tokens according to Abracadabra's data. Most trading activity occurs on Ethereum and the Arbitrum layer-2 network, with the protocol holding $154 million in total value locked.
This marks the protocol's third technical incident requiring treasury intervention since 2024. Previous smart contract issues occurred in January 2024 and March 2025, with the protocol responding through similar treasury-backed stabilization measures each time.
The Abracadabra team is conducting internal process reviews to strengthen protocol infrastructure. 0xMerlin stated the team is implementing measures to prevent similar technical issues from arising in future contract deployments and DeFi operations.
The protocol's response demonstrates established procedures for handling smart contract vulnerabilities. Treasury reserves continue supporting system stability while development teams work on enhanced security protocols for the lending platform's ongoing operations.