Abracadabra Cauldron Rounding

On January 30, 2024, Abracadabra Money suffered the first of three major exploits between 2024 and 2025. The attacker drained 2,740 ETH and 2.2 million MIM — approximately $6.5 million — by exploiting rounding errors in the Cauldrons V3 and V4 debt-accounting logic. The MIM stablecoin depegged to $0.76 before recovering.

What happened

Abracadabra's "Cauldrons" are isolated lending markets where users deposit collateral and borrow MIM (Magic Internet Money), Abracadabra's USD-pegged stablecoin. Each Cauldron tracks user debts in a shared accounting structure with periodic interest accrual.

The fatal flaw: the Cauldron's debt-accounting math contained integer-division rounding errors that could be exploited when a user paid down someone else's debt. The protocol's logic for adjusting totalBorrow.elastic (the protocol's view of outstanding debt) rounded in a way that under-decremented the recorded total when partial payments were applied across multiple positions.

The attack:

1. Flash-borrowed capital to fund the operation.
2. Repaid small amounts of other users' debts via the Cauldron's repayment function — each repayment triggered the buggy rounding behaviour.
3. Each iteration reduced the protocol's recorded totalBorrow.elastic slightly more than it should have, given the actual payments.
4. As the recorded total dropped, the attacker's borrowing capacity against their own collateral inflated — because the protocol believed the system had less outstanding debt than it actually did.
5. Borrowed MIM repeatedly against the inflated capacity, ultimately extracting 2.2M MIM and 2,740 ETH worth of collateral.

The freshly-minted unbacked MIM hit DEX liquidity, depegging MIM from $1.00 to $0.76 as the market priced in the unbacked supply.

Aftermath

• Abracadabra paused affected Cauldrons and shipped patched versions with corrected rounding direction.
• MIM's peg recovered over the following weeks as the team coordinated treasury support and burned the unbacked supply.
• The stolen funds were laundered through Tornado Cash.
• This was the first of three major Abracadabra exploits through 2024-2025: a second, larger incident hit in March 2025 ($13M via GMX Cauldron logic), and a third, smaller one in October 2025 ($1.7M).

Why it matters

Abracadabra's January 2024 incident is part of the rounding-direction vulnerability class that has produced recurring DeFi losses:

• Alpha Homora (Feb 2021) — borrow-share rounding to zero against actual debt.
• Hundred Finance (Apr 2023) — Compound v2 fork precision/donation interaction.
• zkLend (Feb 2025) — Starknet safeMath rounding inflated raw_balance to 1724.
• Abracadabra Cauldrons (Jan 2024) — debt-accounting under-decrement.

In every case, the rounding direction chosen by the contract was either wrong outright or interacted with adversarially-constructed call sequences to produce the wrong economic outcome. The defensive answer — always round in favour of the protocol, not the user, on every integer-division operation that affects solvency — is well-documented and not yet universally applied.

The three Abracadabra exploits in two years also illustrate the "protocol survives the first exploit but is structurally fragile" dynamic: a project that has been hacked once attracts more attention from sophisticated attackers, and unless the post-incident hardening addresses systemic causes rather than just the specific bug, second and third incidents become statistically likely.