Get the popcorn in, because I swear it's true. A cross-chain lending platform called Abracadabra Money has confirmed that an exploit allowed one user to drain at least $6.49 million in Ethereum-based stablecoins from its protocol (first spotted by Web3isgoinggreat). Fair warning that this story involves a bunch of crypto jargon which I'll try to explain as we go along, but always remember: these words are meant to obfuscate, confuse, and give the veneer of reality to the mathematically abstract.
Let's start with the Ethereum Cauldrons. These allow users to borrow the Magic Internet Money (MIM) stablecoin, yes really, a stablecoin being a crypto-token that is in theory pegged to the value of (and backed by) a recognised currency: in this case the US dollar. Users can borrow MIM this way by offering various other assets as collateral. What could go wrong?
Enter one dark wizard, an unknown user who began their attack with 1 ETH (roughly $2,300), and per a report from blockchain security firm Certik took advantage of a "rounding issue.” What they seem to have done is spam loans using a piece of confusion software called TornadoCash: borrowing and repaying repeatedly in a manner that had them not-so-slowly accruing profit, and then successfully transferring those funds to another crypto-wallet.
The attack was first noticed by the blockchain security firm PeckShield, at which point the loss was estimated at $6.49 million. Subsequent estimates have put the amount as high as $10 million, though bear in mind we're talking about crypto assets here, and sparked a plunge in the value of, yes, the Magic Internet Money stablecoin.
The MIM development team acknowledged the exploit and says it has now been fixed, while the MIM stablecoin has, after going down to around 77 cents in value at its lowest, returned to the high 90 cents range. But remember: the whole point of these so-called stablecoins is that they stay 1:1 with their pegged currency. So we're not at the final act yet.
The team further claim that victims will be compensated via a buy-back and burn process (liquidating some currency to boost the overall pot's value). Abracadabra is a decentralised finance platform, in crypto terms a DeFi, and the whole point of these is that they're supposed to be secure, robust, impregnable. And yet here we are: One attacker has made off with several million of crypto assets, with MIM and Abracadabra developers only able to say it's been contained.
Magic Internet Money now says that "following the recent exploit, we’ve taken swift action to secure the protocol. The DAO treasury is set to fully collateralize the $6.5M affected, ensuring safe operations. We’re moving forward with confidence."
To which, I guess, one can only add: "tah-dah!" This isn't even Magic Internet Money's first dodgy moment, with it having to be de-pegged during the 2022 Terra crash, and you do wonder who keeps giving something like this the benefit of the doubt. People really do put money into these things and, you know, so often the crypto moral lesson turns out the same. I wouldn't say it's magic but: Now you see it, and now you don't.