Arcadia Finance, a decentralized finance (DeFi) protocol, suffered a devastating cyberattack that exploited a reentrancy vulnerability, resulting in the theft of $455,000.
The attacker utilized a “reentrancy exploit,” a bug that allows interrupting or reentering a contract during a multi-step process, preventing proper completion. The Arcadia team has demanded the return of the stolen funds within 24 hours, warning of potential police involvement if the hacker fails to comply.
The attack, which occurred on July 10, targeted Arcadia Finance and drained approximately $455,000 worth of cryptocurrency. Initial reports from blockchain security firm PeckShield suggested that a lack of untrusted input validation in the app’s contracts enabled the attacker to drain the funds.
However, the Arcadia team refuted this claim, asserting an alternative cause. The team’s post-mortem report revealed that the vulnerable “liquidateVault()” function did not contain a reentrancy check, allowing the attacker to exploit the protocol and withdraw funds without repayment.
Following the incident, Arcadia Finance has suspended its contracts and is diligently working on a patch to rectify the vulnerability and prevent similar attacks in the future. The team is actively collaborating with security experts and law enforcement agencies to investigate the incident and track down the perpetrator
. Exploits and scams remain persistent challenges in the DeFi space, with a recent report estimating over $300 million lost due to exploits in the second quarter of 2023.
