Arcadia Finance, a decentralized finance (DeFi) platform operating on the Base blockchain, recently experienced a significant exploit, resulting in the theft of approximately $3.5 million in cryptocurrency. The attack specifically targeted a vulnerability within Arcadia’s Rebalancer contract. This flaw allowed the attacker to manipulate swapData parameters, leading to unauthorized swaps that drained assets from user vaults.
The exploit unfolded swiftly, with the attacker deploying a malicious contract and triggering the vulnerability within a minute.
According to blockchain security company Cyvers, the initial attack occurred on Tuesday. The stolen tokens, primarily USDC and USDS, were immediately swapped for Wrapped Ethereum (WETH) on the Base network. To further obscure the trail, these WETH holdings were then bridged over to the Ethereum mainnet, where they were distributed across new intermediary addresses, likely in an attempt to prevent tracking and potentially for mixing or decentralized exchange activity.
Initially, the loss was estimated at $2.5 million, comprising around 2.3 million USDC and 227,000 USDS. During the rogue swap process, the attacker gained approximately 199 WETH and 965.8 million AERO tokens, impacting 12 different addresses. However, Cyvers later confirmed that Arcadia Finance suffered a subsequent attack, with the exploiter successfully extracting an additional nearly $1 million through multiple transactions, bringing the total stolen amount to $3.5 million.
In response to the incident, Cyvers provided several recommendations to mitigate further damage and assist in recovery.
These included blacklisting the involved addresses on both the Base and Ethereum networks, notifying major exchanges and bridges to halt any inbound transactions from these addresses, and sharing suspicious activity reports with law enforcement agencies. These measures are crucial for limiting the attacker’s ability to cash out the stolen funds.
The Arcadia Finance team officially confirmed the exploit on Tuesday via a post on X. They acknowledged the “unauthorized transactions via a Rebalancer” and urgently advised their users to revoke all permissions granted to asset managers within the Arcadia platform to minimize any further potential risks. They also stated that more information would be provided as their investigation progressed.
Reference:
