Abracadabra Money (3rd incident — abracadabra-rekt3): Deprecated cauldron security flag bypass — cook() action ordering resets solvency check flag → uncollateralized MIM borrow
Abracadabra's third exploit in two years drained $1.8M from deprecated CauldronV4 contracts that remained live with no kill switch — anyone who read the code could borrow MIM uncollateralized with a two-step trick.
Summary #
Abracadabra Money (3rd incident — abracadabra-rekt3) suffered a CDP / Lending (Cauldron-based stablecoin) on 2025-10-04, resulting in a loss of approximately $2M.
What happened #
Abracadabra's third exploit in two years drained $1.8M from deprecated CauldronV4 contracts that remained live with no kill switch — anyone who read the code could borrow MIM uncollateralized with a two-step trick.
Linked factors #
- RD-F-001 — causal : ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — deprecated contracts explicitly excluded from any recent audit scope]
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited state — deprecated contracts with no audit since Nov 2023]