What happened when MIM was hacked. Detailed analysis of the attack
We reveal the scheme by which the hacker manipulated cryptocurrency loan collateral
31.03.2025
969
4 min
0
On March 25, 2025, the MIM (Magic Internet Money) lending protocol was hacked. An attacker managed to withdraw 6261,13 ETH (equivalent to $12,9 million). The hacker used the RouterOrder and Cauldron contract integration vulnerabilities to carry out the attack.

Source: MIM Spell account on X
In simple terms: the attacker was able to borrow the cryptocurrency, liquidate the position, and make a new loan with the original collateral. This was achieved by not updating the data in the RouterOrder contract during the liquidation process.
Example of attack transactions
Three exploit transactions were conducted to attack MIM. The first transaction was preparatory:
0xef64da328604bca1aee4b86504dbd2f81cc0f5d7d1b80bdca7011e470c076e0e
The second transaction initiated the loan
0xcdfce7234225e445f764399407f1256c52f8b75db3baf77493bb4c88c8aacfd1
The third transaction initiated a liquidation and a new loan
0x5416a5f23af22bd1c6c92dbbdb382da681884ed2be07f5c0903ab2241
Two wallets and a contract were used for the attack:
0x51c9d0264d829a4F6d525dF2357Cd20Ea79b5049
0xAF9e33Aa03CAaa613c3Ba4221f7EA3eE2AC38649
0xf29120acd274a0c60a181a37b1ae9119fe0f1c9c
Preparation
In this step, the hacker set up a master contract for address 0x51c9 and contributed 0,5 GM to DegenBox.
The first loan
Next, the attacker called the GmxV2CauldronV4.cook() function with parameters [30,5,30,3]. This resulted in the following actions:
- 280 ETH were exchanged for 6,66 WBTC using attack contract 0xf291
- loan of 300k MIM
- transfer of 300k MIM into malicious contract 0xf291
- MIM swap for USDC 300k
- swap of 300k USDC to 145,2 WETH
- swap of 145,2 WETH to 3,44 WBTC
The attacker then created a new order at 0x51c9 using 5 WBTC as collateral and a small ETH fee. At this point, the MIM protocol was already compromised and could not recognize the manipulation.
Liquidation and subsequent unsecured loan
Using a pre-created attack contract, the attacker initiated the liquidation of the first loan using the sendValueInCollateral() function. All funds were sent for liquidation to the false contract 0xf291.
Next, several more loans were made, which the MIM protocol approved, using the same 5 WBTC deposited by the attacker in the previous step as collateral.
The essence of the vulnerability
After studying the Abracadabra documentation, it will become clear that the vulnerability lies in the joint use of RouterOrder and CauldronV4 contracts.
The OrderAgent.create() function creates a new loan request for a certain user with specified parameters. It is called by the GmxV2CauldronV4 contract to set up the new application in response to user actions. RouterOrder.init() also triggers the creation of the application on the GMX router.
During the loan liquidation process, the 'sendValueInCollateral()' function sends all funds to the liquidator, in this case attacker contract 0xf291, but the public variable 'inputAmount' stored in 'GmxV2CauldronRouterOrder' is not updated. This allows the attacker to further exploit the funds held as collateral. As a result, the hacker can take up an additional 85% of the collateral size.
Let’s go after the money
Two wallets and a contract created by the attacker before the attack received initial collateral in ETH from Tornado Cash. After withdrawing the funds from the MIM protocol, they were moved to address 0xAF9e.

Transfer of ETH from the Arbitrum network to Ethereum
The stolen cryptocurrency was then transferred from the Arbitrum network to Ethereum using the Stargate protocol. The hacker used transactions of 500 ETH. On the Ethereum network, the attacker created three new addresses where the stolen funds were distributed:
0xa8f822E937C982e65b0437Ac81792a3AdA76A1ff — 1259 ETH ($2,6 million)
0x047C2a3dd1Ab4105B365685d4804fE5c440B5729 — 2001 ETH ($4,1 million)
0x018182FD7B856AeE1606D7E0AA8bca10F1Cb0b5d — 3001 ETH ($6,1 million)
As of March 31, the stolen funds remain in the attacker’s wallets.
Useful material?
Research
One and the same cryptocurrency address received two completely opposite assessments from different analytics systems: from an ordinary gambling service to an extremely severe criminal offense. This story has become the starting point for a broader conversation about what the scientific standards of blockchain analysis should look like — and why errors in systems like these can shape the fates of real people.
Jul 1, 2026
Research
The blockchain has helped uncover the ties between cryptocurrency fundraising campaigns, exchangers in Syria, and intermediaries in several countries around the world. A telltale pattern has emerged in which the same addresses were used across multiple donation drives at once
Jun 24, 2026
Research
Four Iranian cryptocurrency exchanges accounted for roughly 78% of all digital asset volume tied to the country in 2025. They have now become the focal point of the largest U.S. sanctions campaign against Iran's cryptocurrency infrastructure.
Jun 5, 2026
Research
A financial system is already up and running on public blockchains, with loans, analogues of U.S. Treasuries, and automated capital markets. More than $551 billion has flowed through DeFi protocols — but most of that activity has nothing to do with the real economy and everything to do with the speculative build-up of risk.
May 29, 2026
Research
Around 97% of Chinese suppliers of chemicals used to make fentanyl accept payment in cryptocurrency. The volume of such transactions continues to grow alongside the global market for synthetic drugs
May 22, 2026
Research
For the first time, the new law makes blockchain analytics an officially mandatory tool of financial oversight in the United States. Authorities will also gain the power to restrict transactions with foreign crypto services tied to money-laundering risks.
May 20, 2026
Telegram
Twitter