What Happened

Abracadabra Money (MIM) — 2024 Backtest

$13M|Smart Contract Exploit|March 25, 2025

Seven-step flash loan attack targeting GM Cauldron cook() function. Attacker exploited the non-atomic GMX V2 order processing to manipulate solvency checks, minting ~13.4M unbacked MIM across five GM Cauldrons on Ethereum mainnet. The vulnerable contracts were 'deprecated' by the team but remained live and functional.

What Hindenrank Would Have Said

As of December 1, 2024

D
Risk Score
66/100

As of December 2024, Abracadabra Money presents elevated risk. The January 2024 exploit exposed a fundamental flaw in the cook() batching architecture — the same pattern used by GM Cauldrons. With deprecated cauldrons still live, multiple unresolved audit findings, and a history of MIM depegs, the risk profile warrants extreme caution. Rated D+.

Mechanism Novelty9/15
Interaction Severity14/20
Oracle Surface8/10
Documentation Quality6/10
Track Record13/15
Scale Exposure5/10
Regulatory Risk5/10
Protocol Vitality6/10

Grade Predicted This Failure

Flagged by dimensions: Mechanism Novelty, Interaction Severity, Oracle Surface, Documentation Quality, Track Record

One or more collapse scenarios directly matched the actual failure mode.

Top Risks Identified

  1. 1.Prior $6.5M exploit (Jan 2024) via cook() solvency check bypass remains unresolved in deprecated cauldrons
  2. 2.Non-atomic GMX V2 cauldron architecture creates window for MIM minting against unfinalized collateral
  3. 3.Multiple Guardian audit Critical/High findings in GM Cauldron code unaddressed since Nov 2023
  4. 4.MIM stablecoin historically depegged during collateral shocks (Terra, FTX, Jan 2024)
  5. 5.Deprecated cauldrons remain live and capable of minting unbacked MIM

Collapse Scenarios

GM Cauldron Flash Loan Oracle Exploit

Elevated
Trigger

Attacker uses flash loan to manipulate GM token pricing state in GMX oracle or exploit timing window in cook() solvency checks, minting unbacked MIM across GM cauldrons.

Cascade
1.
Flash loan executes, attacker gains temporary capital to seed or manipulate GM cauldron stateAttacker enters position that exploits the non-atomic order timing window or cook() batch solvency check
2.
cook() batch function bypasses solvency validation due to rounding or timing attackAttacker mints MIM without proper collateral finalization; unbacked MIM enters circulation
3.
Attacker swaps stolen MIM to USDC or ETH on-chainMIM supply increases without collateral backing; peg begins slipping as unbacked MIM hits market
4.
Protocol pauses GM cauldrons; community discovers scale of drainMIM depegs significantly; SPELL token crashes; protocol suffers bad debt requiring governance response
Historical Precedent

January 30, 2024: Attacker exploited rounding bug in CauldronV4 cook() function to bypass solvency checks, draining ~$6.5M (1,800 ETH + 2.2M MIM). The same architectural pattern persisted in GM cauldrons post-patch.

MIM Peg Collapse from GMX Platform Stress

Moderate
Trigger

GMX V2 platform experiences sustained losses, liquidity crisis, or smart contract exploit; GM token prices fall faster than Abracadabra oracles update, cascading into under-collateralized MIM positions.

Cascade
1.
GMX V2 suffers significant loss event (trader profits, platform exploit, or liquidity crisis)GM token net asset value declines sharply; Abracadabra oracle may lag actual GM price due to keeper delays
2.
Multiple GM Cauldron positions become undercollateralized before oracle reflects updated priceLiquidation threshold breached but liquidators cannot act without oracle update; bad debt accumulates
3.
Oracle updates reflect true GM token price; liquidations flood the marketLarge USDC/ETH sells from liquidated collateral; some positions remain as bad debt
4.
Accumulated bad debt creates MIM supply without backing; peg slipsMIM trades at persistent discount; sSPELL yield collapses; TVL exits accelerate
Historical Precedent

Terra/Luna collapse (May 2022) drove MIM to $0.95. FTX/FTT exposure (November 2022) caused brief depeg to $0.9520. Both were collateral-quality shocks on the same model.

Deprecated Cauldron Lifecycle Failure

Elevated
Trigger

Abracadabra team internally flags cauldrons as deprecated without disabling MIM minting at contract level, leaving functional exploit surface in unmaintained code.

Cascade
1.
Attacker discovers that deprecated cauldrons retain full MIM minting capabilityDeprecated cauldrons lack active monitoring; stale oracle prices and lower security scrutiny
2.
Attacker exploits rounding or state manipulation bug in deprecated cauldronMIM minted without valid backing; attack bypasses current security monitoring focused on active cauldrons
3.
Protocol unable to respond quickly due to multi-chain deployment and deprecated-contract discovery timeAttacker scales attack across multiple deprecated cauldrons before pause is executed
Historical Precedent

January 2024 exploit targeted exactly this scenario: CauldronV4 contracts labeled deprecated by the team but still active and capable of minting MIM.

See how today's protocols score

The same 8-dimension rubric applied to 672+ live protocols.

View LeaderboardAll Backtests