Security Breach at Abracadabra
A recent security breach at the decentralized finance (DeFi) platform Abracadabra has resulted in a substantial loss of approximately $1.8 million. This incident was triggered by an exploitation of a flaw in the protocol’s batch processing feature, as noted by the cybersecurity analysts at Hacken. The attacker has reportedly begun the process of laundering the stolen funds through Tornado Cash, a well-known cryptocurrency mixer.
Platform Overview
Abracadabra allows users to utilize interest-earning tokens as collateral to secure loans in the form of a stablecoin called Magic Internet Money (MIM). The platform employs a dual structure consisting of “Cauldrons”, which set the terms for borrowing, and “DegenBox”, the common vault for the assets. Unfortunately, a lapse in security occurred when a critical safety mechanism designed to verify that borrowers maintained adequate collateral was inadvertently disabled during a transaction.
Details of the Exploit
Hacken’s research revealed that the breach stemmed from a manipulation of a functionality known as the “cook function”. This function enables users to perform multiple operations in a single transaction, such as depositing collateral and borrowing funds simultaneously. In a typical flow, when a borrower attempts to take out a loan, a flag called needsSolvencyCheck is activated to ensure that they possess sufficient collateral.
However, the flaw arose from the presence of a sub-function called _additionalCookAction(…), which was incorrectly set up to yield a false outcome, including the needsSolvencyCheck flag being reset to false, as pointed out in Hacken’s analysis. Consequently, this oversight allowed the attacker to bypass the solvency check and execute an uncollateralized loan across six separate Cauldrons.
Aftermath and Response
The malicious actor managed to withdraw approximately 1.79 million MIM, which was subsequently exchanged for Ethereum (ETH). Utilizing a systematic approach, the attacker drained each of the six Cauldrons in one operation while employing the same exploit method.
After claiming the funds, the attacker dispatched them through Tornado Cash in small increments, each totaling around 10 ETH, during the subsequent day. Notably, this incident is not the first for Abracadabra’s CauldronV4 code, having experienced previous attacks related to different vulnerabilities in the same contract family.
In a proactive response to similar vulnerabilities, a fork of the project, named Synnax, took precautionary measures by halting operations on its own DegenBox shortly before the Abracadabra exploit. This suggests that the potential risk associated with the code was recognized by savvy teams, which raises questions about the broader implications for DeFi security practices.
