How Does Abracadabra Work?

Lending|Risk D+|7 mechanisms|6 interactions

A lending platform where users deposit crypto to borrow the MIM stablecoin. It holds $11M in deposits, down significantly from peak levels after three separate hacks since January 2024 totaling over $21M in losses. Its D+ grade reflects the pattern of recurring smart contract vulnerabilities and a stablecoin that dropped to $0.76 during one incident.

TVL

$8M

Sector

Lending

Risk Grade

D+

Value Grade

C

Core Mechanisms

Lending/CDP

Cauldron isolated lending markets with interest-bearing collateral

Each Cauldron is an isolated market accepting a specific collateral type; users mint MIM stablecoin against deposited collateral. Based on Kashi lending architecture.

Stablecoin/CDP

MIM (Magic Internet Money) overcollateralized stablecoin

Standard CDP stablecoin minted via Cauldron borrowing. Has suffered multiple depeg events during exploits.

Lending/Liquidation

Cauldron liquidation with solvency check mechanism

Standard liquidation engine with solvency verification. October 2025 exploit bypassed solvency checks via cook() action sequencing.

Lending/Flash-Loan

Flash loan integration enabling leveraged positions

Standard flash loan integration. March 2025 exploit used a seven-step flash loan attack to drain $13M from GM pool cauldrons.

Governance/Token-Vote

SPELL token governance with DAO treasury buybacks

Standard governance token. DAO performed buybacks to mitigate MIM depeg impact post-exploits.

Yield/Interest-Bearing-Collateral

Yield-bearing token collateral (yvTokens, GLP, GM pools)

Accepts yield-bearing tokens as collateral. This pattern is now used by multiple protocols and is becoming standard.

Lending/Multi-Action

Novel

cook() multi-action batch execution

Batches multiple lending actions in a single transaction via cook() function. Novel composability pattern that has introduced action-sequencing vulnerabilities exploited in Oct 2025.

How the Pieces Interact

cook() multi-action batchSolvency check mechanismCritical

Action sequencing in cook() allows resetting solvency check flags between borrow and withdrawal actions, enabling undercollateralized borrowing. Proven exploit in October 2025.

Flash loan integrationGM pool cauldron liquidationCritical

Flash loans enable manipulation of GM pool share prices during liquidation, allowing attackers to extract value through artificial liquidation cascades. Proven $13M exploit in March 2025.

MIM stablecoinCauldron collateral valuationHigh

Large-scale exploit drainage triggers MIM selling pressure, depegging the stablecoin and causing cascading liquidations across all Cauldrons simultaneously.

Yield-bearing collateralExternal protocol dependencyHigh

Collateral value depends on external protocol health (GMX, Yearn); external exploit or depeg propagates into Abracadabra Cauldrons as bad debt.

Interest-bearing collateral pricingOracle price feedsMedium

Rounding errors in collateral value calculations (as in Jan 2024 exploit) enable precision-based extraction of protocol funds.

See all 6 interactions in the full risk report →

What Could Go Wrong

  1. Three major exploits in under two years ($6.5M Jan 2024, $13M Mar 2025, $1.8M Oct 2025) demonstrate a pattern of recurring smart contract vulnerabilities in the Cauldron architecture.
  2. MIM stablecoin depegged to $0.76 during the January 2024 exploit, showing that the peg mechanism cannot withstand protocol-level shocks.
  3. The cook() multi-action batch function has been exploited twice via action-sequencing vulnerabilities that bypass solvency checks, and the general pattern may have additional undiscovered variants.

Cook() Solvency Bypass Cascade

Elevated

Trigger: Attacker discovers a new action-sequencing combination in cook() that bypasses solvency checks on a Cauldron with $5M+ TVL, replicating the October 2025 pattern

  1. 1.Attacker exploits cook() action sequencing to reset solvency flags between borrow and withdrawal Undercollateralized borrows drain MIM from the targeted Cauldron
  2. 2.Attacker dumps stolen MIM on secondary markets MIM selling pressure causes depeg from $1.00 toward $0.80-0.90 as in January 2024
  3. 3.MIM depeg triggers liquidation cascades across all Cauldrons using MIM as debt token Borrowers across unaffected Cauldrons face margin calls as MIM-denominated positions become mispriced
  4. 4.Market panic causes mass withdrawal from remaining Cauldrons Protocol TVL collapses; SPELL token crashes as governance credibility evaporates after fourth major exploit
  5. 5.DAO treasury insufficient to cover losses Protocol enters terminal decline with no recovery path for affected depositors
See all 2 collapse scenarios in the full risk report →

Risk Profile at a Glance

Mechanism Novelty3/15
Interaction Severity20/20
Oracle Surface5/10
Documentation Gaps5/10
Track Record15/15
Scale Exposure3/10
Regulatory Risk2/10
Vitality Risk9/10
D+

Overall: D+ (62/100)

Lower score = safer

More on Abracadabra

Is Abracadabra Safe?

Safety analysis

Is Abracadabra a Good Investment?

Value analysis

Full Risk Report

All mechanisms & interactions

Related Lending Explainers

How Does Tapioca Work?D+How Does Radiant Capital Work?D+How Does YieldBlox Work?D+How Does Aave V3 Work?C-How Does Maple Finance Work?C-