We reveal the scheme by which the hacker manipulated cryptocurrency loan collateral

What happened when MIM was hacked. Detailed analysis of the attack

31.03.2025

969

4 min

On March 25, 2025, the MIM (Magic Internet Money) lending protocol was hacked. An attacker managed to withdraw 6261,13 ETH (equivalent to $12,9 million). The hacker used the RouterOrder and Cauldron contract integration vulnerabilities to carry out the attack.

Source: MIM Spell account on X

In simple terms: the attacker was able to borrow the cryptocurrency, liquidate the position, and make a new loan with the original collateral. This was achieved by not updating the data in the RouterOrder contract during the liquidation process.

Example of attack transactions

Three exploit transactions were conducted to attack MIM. The first transaction was preparatory:

0xef64da328604bca1aee4b86504dbd2f81cc0f5d7d1b80bdca7011e470c076e0e

The second transaction initiated the loan

0xcdfce7234225e445f764399407f1256c52f8b75db3baf77493bb4c88c8aacfd1

The third transaction initiated a liquidation and a new loan

0x5416a5f23af22bd1c6c92dbbdb382da681884ed2be07f5c0903ab2241

Two wallets and a contract were used for the attack:

0x51c9d0264d829a4F6d525dF2357Cd20Ea79b5049

0xAF9e33Aa03CAaa613c3Ba4221f7EA3eE2AC38649

0xf29120acd274a0c60a181a37b1ae9119fe0f1c9c

Preparation

In this step, the hacker set up a master contract for address 0x51c9 and contributed 0,5 GM to DegenBox.

The first loan

Next, the attacker called the GmxV2CauldronV4.cook() function with parameters [30,5,30,3]. This resulted in the following actions:

  • 280 ETH were exchanged for 6,66 WBTC using attack contract 0xf291
  • loan of 300k MIM
  • transfer of 300k MIM into malicious contract 0xf291
  • MIM swap for USDC 300k
  • swap of 300k USDC to 145,2 WETH
  • swap of 145,2 WETH to 3,44 WBTC

The attacker then created a new order at 0x51c9 using 5 WBTC as collateral and a small ETH fee. At this point, the MIM protocol was already compromised and could not recognize the manipulation.

Liquidation and subsequent unsecured loan

Using a pre-created attack contract, the attacker initiated the liquidation of the first loan using the sendValueInCollateral() function. All funds were sent for liquidation to the false contract 0xf291.

Next, several more loans were made, which the MIM protocol approved, using the same 5 WBTC deposited by the attacker in the previous step as collateral.

The essence of the vulnerability

After studying the Abracadabra documentation, it will become clear that the vulnerability lies in the joint use of RouterOrder and CauldronV4 contracts.

The OrderAgent.create() function creates a new loan request for a certain user with specified parameters. It is called by the GmxV2CauldronV4 contract to set up the new application in response to user actions. RouterOrder.init() also triggers the creation of the application on the GMX router.

During the loan liquidation process, the 'sendValueInCollateral()' function sends all funds to the liquidator, in this case attacker contract 0xf291, but the public variable 'inputAmount' stored in 'GmxV2CauldronRouterOrder' is not updated. This allows the attacker to further exploit the funds held as collateral. As a result, the hacker can take up an additional 85% of the collateral size.

Let’s go after the money

Two wallets and a contract created by the attacker before the attack received initial collateral in ETH from Tornado Cash. After withdrawing the funds from the MIM protocol, they were moved to address 0xAF9e.

Transfer of ETH from the Arbitrum network to Ethereum

The stolen cryptocurrency was then transferred from the Arbitrum network to Ethereum using the Stargate protocol. The hacker used transactions of 500 ETH. On the Ethereum network, the attacker created three new addresses where the stolen funds were distributed:

0xa8f822E937C982e65b0437Ac81792a3AdA76A1ff — 1259 ETH ($2,6 million)

0x047C2a3dd1Ab4105B365685d4804fE5c440B5729 — 2001 ETH ($4,1 million)

0x018182FD7B856AeE1606D7E0AA8bca10F1Cb0b5d — 3001 ETH ($6,1 million)

As of March 31, the stolen funds remain in the attacker’s wallets.

Subscribe to Getblock Magazine and stay up to date with the latest news from the world of cryptocurrencies and the digital economy