- Blockbasis
- Posts
- Abracadabra: Inside the $6.5 Million Hack
Abracadabra: Inside the $6.5 Million Hack
Abracadabra Hack: How a $6.5 Million Exploit Exposed Vulnerabilities in CauldronV4, Impacting Magic Internet Money and Shaking Confidence in DeFi Security
Blockbasis
January 30, 2024
TL;DR
Abracadabra suffered a $6.5M hack due to a rounding issue in the CauldronV4 code. The exploit involved manipulating the borrow function, leading to MIM liquidity being drained from yvCrv3Crypto and magicAPE cauldrons. Efforts to restore the MIM peg brought it to $0.97, with further measures needed for full recovery.
Make Sure This Hack Doesn’t Happen To You 🫵
Subscribe to Blockbasis and get access to our premium scanner to check whether your the funds in your wallet is safeguarded from hacks 🔐
For a limited period only, you can get a 7 day FREE trial!
Tried to scan your wallet for any exploited contracts connected to your wallet?
If not, you probably should. Better be safe than sorry 🙏
— Blockbasis (@Blockbasis)
1:19 PM • May 6, 2022
All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇
Yesterday, an unexpected breach caused two of Abracadabra’s cauldrons to spring a leak.
The lending platform suffered a $6.5 million hack on Ethereum, and Abracadabra’s Magic Internet Money appeared far less magical…
BlockSec and Peckshield raised the alarm, with BlockSec also advising users to withdraw their assets. Shortly after, the Abracadabra team officially acknowledged the breach, promising to restore the MIM peg:
“To the best of its ability, the DAO treasury will be buying back MIM from the market to then burn.”
Just over an hour after the attack began, the issue had been mitigated, according to an Abracadabra team member. The team’s efforts brought MIM back up to around $0.95.
With the stablecoin currently hovering around $0.97, the question remains: what will it take for MIM to fully repeg?
Receive weekly Bitcoin summaries with news, insights and analysis on all things Bitcoin, all for free.
The root cause of the exploit was identified as a rounding issue in the CauldronV4 code.
The borrow function in CauldronV4 contracts was vulnerable to manipulation through the part parameter (the user’s share of total debt). By repeatedly borrowing and repaying an asset, the attacker exploited this rounding error. For a more in-depth analysis, see here.
A 🧵 on how yesterday's @MIM_Spell attack worked. The protocol did everything right. They rounded in the protocol's favour whenever they should but one additional function, meant to only reduce the user's funds, ended up enabling the attack. How?
— Kankodu (@kankodu)
6:37 AM • Jan 31, 2024
This vulnerability allowed the attacker to drain MIM liquidity from the yvCrv3Crypto and magicAPE cauldrons, exploiting the incorrect debt calculation.
Step-by-step:
Flashloan MIM token with Degenbox: The attacker initiates a flashloan to borrow a large amount of MIM tokens from Degenbox.
Donate MIM token to BentoBox: The attacker deposits MIM tokens into BentoBox, with BentoBox itself set as the recipient. This exploits the ERC-4626 first depositor vulnerability.
Repay liabilities for all other users: The attacker calls repayForAll() to repay liabilities for all other users. However, they ensure the repayment is incomplete so that the elastic value remains above the 1000 * 1e18 threshold. To achieve this, the attacker manually repays liabilities for other borrowers until the borrow elastic value is zero.
Repeatedly borrow and repay to inflate the share price: The attacker repeatedly borrows and repays, taking advantage of the ERC-4626 first depositor vulnerability to inflate the share price.
Add collateral and borrow a large amount of MIM tokens: With the inflated share price, the attacker adds collateral and borrows a substantial amount of MIM tokens.
Repay flashloan and take profit: Finally, the attacker repays the flashloan and pockets the profit.
The resulting dump of the stolen MIM for ETH caused the depeg.
Attacker address: 0x87f585809ce79ae39a5fa0c7c96d0d159eb678c9
Attack transactions:
Attack tx 1 (10:14 UTC): 0x26a83db7…
Attack tx 2 (10:26 UTC): 0xdb4616b8…
Exploited CauldronV4 contracts:
yvCrv3Crypto: 0x7259e152103756e1616A77Ae982353c3751A6a90
Funds are currently held in two accumulation addresses: Exploiter address 2 ($4.2M) and Exploiter address 3 ($2.2M). The Abracadabra team has reached out on-chain in an attempt to open negotiations.
Get Ahead In Crypto. Join 15,000+ subscribers and get our free 5-min daily newsletter
After a busy start to January and chaotic ETF approval announcements, the long-awaited TradFi-propelled market turnaround never materialized. Apathy now dominates the timeline.
Even a multimillion-dollar exploit of a key player from the last bull run seems to have barely made a ripple.
Abracadabra’s Degenbox, crucial in the overleveraged Anchor play that led to the collapse of LUNA/UST, is back in the spotlight. Co-founder Daniele Sesta remains one of the few main characters from that cycle who hasn’t ended up behind bars.
In 2021, populist calls to "Occupy DeFi" and a knack for ponzi-pivoting propelled Frog Nation projects to enormous TVLs despite limited innovation. Even a $20M hit on Popsicle and the Wonderland Sifu scandal didn’t deter the degens.
Yesterday’s hack comes just as new offerings are being teased.
Is this a taste of things to come?
Instantly calculate the time you can save by automating compliance
Whether you’re starting or scaling your security program, Vanta helps you automate compliance across frameworks like SOC 2, ISO 27001, ISO 42001, HIPAA, HITRUST CSF, NIST AI, and more.
Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.
Instantly calculate how much time you can save with Vanta.