Rounding exploit spells trouble for Magic Internet Money

Add one more hack to Immunefi’s January report tally and you have over $130 million lost in January alone

by Macauley Peterson /
article-image

MIM and Adobe Stock modified by Blockworks

share

As January winds to a close, it’s looking like a rough month for DeFi safety after a score of exploits. The latest victim was Abracadabra.money, a 2021 bull market darling and issuer of the Magic Internet Money (MIM) stablecoin.

The incident caused MIM to depeg severely to as low as $0.77 on Tuesday, before recovering somewhat to $0.93 at time of writing.

Web3 security firms PeckShield and CertiK first reported the exploit, which was confirmed by Abracadabra’s X account.

Loading Tweet..

Read more: The 5 biggest DeFi hacks of 2023

A hacker was able to steal at least $6.5 million in MIM on Ethereum. The thief’s wallet was funded via Tornado Cash and following the hack, stolen MIM tokens were swapped for ether (ETH) and transferred to a pair of new wallets containing 1800 ETH and 939 ETH respectively as of 12:30 pm ET. 

Newsletter

Subscribe to The Breakdown

A CertiK spokesperson told Blockworks the hacker took advantage of a rounding bug in the protocol, specifically “cauldron v4” contracts which were deployed in early 2023.

Cauldrons is a DeFi dapp that facilitates lending and borrowing crypto assets. Borrowed funds are tracked in two ways: Elastic, representing the actual borrowed amount which can change due to interest rates, and Base, a more stable representation of the debt, used for internal calculations.

The suspect transaction shows a sequence of steps whereby a flawed calculation allowed the hacker to inflate their share of borrowed debt.

According to analysis by CertiK shared with Blockworks, the protocol’s “rebase library,” which should synchronize the elastic and base values, failed to account for discrepancies when the elastic value was zero but the base was not.

Essentially, the attacker tricked the protocol into underestimating the debt by repeatedly exploiting the rounding error, effectively paying back far less than they actually owed.

Tracking January DeFi exploits

Looking back on the first month of 2024, bug bounty and security service Immunefi found that prior to the Abracadabra exploit, over $126 million had already been lost in January across 19 incidents.

That’s a six-fold increase from a year ago and 2.8 times greater than the losses incurred in December 2023, Immunefi said.

Source: immunefi.com/research

Most of that is attributable to the first exploit that kicked off 2024, when more than $81 million was swiped from the Orbit Bridge.

Read more: $80M lost in first hack of 2024

Hackers most often targeted Ethereum (six incidents) and BNB Chain (five incidents). Arbitrum (three incidents) and Solana had two incidents, with one exploit each on Polygon, Optimism and Conflux Network, rounding out the list.

As the value of crypto assets increases, Immunefi expects that 2024 may see the largest nominal losses of any year to date.

Read more: DeFi hackers ring in New Year with 3 attacks in 5 days

Following the attack, moderators on the Abracadabra community Discord were seeking to allay the concerns of holders of MIM. Users spoke about their concerns that the extended divergence from its expected $1 value.

“MIM has been able to overcome difficult situations transparently in the past, [and] this is another obstacle but I am a buyer given the history of the team,” wrote one member.

Abracadabra.money and MIM were created by Daniele Sestagalli, a prominent, if not controversial figure in the crypto and DeFi space.

Sestagalli has also been behind DeFi protocols Wonderland and Popsicle Finance. His reputation also took a hit by association with Wonderland team member 0xSifu, who was identified as Michael Patryn of QuadrigaCX infamy. The revelation in January 2022 plunged Wonderland, built on Avalanche, into chaos.

Popsicle Finance was hacked for $20 million in August 2021. The project is technically still going, though it has never recovered from its 2021 heights and was subsequently rebranded to WAGMI, short for the crypto slogan We’re all Gonna Make It.

Get the news in your inbox. Explore Blockworks newsletters:

Tags

Newsletter

The Breakdown

Decoding crypto and the markets. Daily, with Byron Gilliam.

Upcoming Events

Digital Asset Summit 2025

Old Billingsgate

Mon - Wed, October 13 - 15, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

buy ticketslearn more

Permissionless IV

Industry City | Brooklyn, NY

TUES - THURS, JUNE 24 - 26, 2025

Permissionless IV serves as the definitive gathering for crypto’s technical founders, developers, and builders to come together and create the future.If you’re ready to shape the future of crypto, Permissionless IV is where it happens.

buy ticketslearn more

Permissionless IV Hackathon

Brooklyn, NY

SUN - MON, JUN. 22 - 23, 2025

Blockworks and Cracked Labs are teaming up for the third installment of the Permissionless Hackathon, happening June 22–23, 2025 in Brooklyn, NY. This is a 36-hour IRL builder sprint where developers, designers, and creatives ship real projects solving real problems across […]

learn more

recent research

Research Report Templates (8).png

Research

Solana Meta Aggregators

Meta-aggregators like Titan and Kamino Swap improve price execution for users, making the Solana swapping landscape more competitive. Jupiter has incorporated meta-aggregation features into its latest routing engine to keep users on its front end (own the user, own the flow). At large, teams are treating swaps as a commoditized complement, offering incredibly cheap or free swaps to own the end-user and increase demand for high-margin product offerings (multi-product DeFi). On another note, the divergence in the concentration of aggregator volume between DEXs suggests increased specialization at the DEX layer by asset type.

by Carlos Gonzalez Campo

/

news

article-image

FinanceLightspeed Newsletter

Beam and Braid to offer stablecoins to smaller banks

Many community banks and credit unions feel like they missed the fintech craze — and they don’t want to miss stablecoins

by Jack Kubinec /
article-image

Empire NewsletterFinance

‘There’s so much opportunity’ in crypto: BlackRock COO

BlackRock COO Rob Goldstein noted that the firm had been looking into crypto since 2017

by Katherine Ross /
article-image

Forward Guidance NewsletterOpinion

Is the Fed risking a policy mistake by sitting on their hands?

With the June FOMC meeting coming up, the Fed remains unlikely to cut interest rates. Is this the right move?

by Felix Jauvin /
article-image

The DropWeb3

Off The Grid active wallets hold steady ahead of Steam launch

The crypto-optional shooter is expected to release on Steam in a few weeks

article-image

0xResearch NewsletterBusiness

Spark airdrop lights the fuse on decentralized governance

The new airdrop campaign reaches 50,000 users, setting the stage for Spark’s 10-year token distribution

by Macauley Peterson /
article-image

PeopleSupply Shock

We’re all still early — but not early enough for the free bitcoin faucet

FOMO can be a multiplayer experience

by David Canellis /