A security vulnerability in Arcadia Finance’s DeFi protocol enabled a hacker to drain nearly half a million dollars from its Ethereum and Optimism vaults.
DeFi protocol Arcadia Finance fell victim to a code exploit, leading to a significant loss of approximately $455,000. Blockchain security firm PeckShield was the first to detect and reveal the breach, attributing it to a coding oversight concerning untrusted input validation.
#PeckShieldAlert Our community contributor has detected that @ArcadiaFi has been exploited on both #Ethereum and #Optimism for ~$455K
The exploiter on #Ethereum was frontrun by 0x5C75e94dD0Ab9c10BFd1B8073DafEF031D3c050dhttps://t.co/blGx5IEAkk
The exploiter on #optimism… pic.twitter.com/WDzF0XVcmL
— PeckShieldAlert (@PeckShieldAlert) July 10, 2023
The loophole allowed the infiltrator to drain funds from Arcadia’s Ethereum and Optimism vaults, leaving the DeFi protocol in a precarious position, according to PeckShield. Following the alert, Arcadia Finance quickly confirmed the breach and suspended the affected contracts, attempting to stymie further loss.
We are aware of a potential exploit in our protocol.
We have paused the contracts and are investigating the root-cause with security experts as we speak. More info will follow as it comes available.— Arcadia Finance (@ArcadiaFi) July 10, 2023
Further compounding the issue, PeckShield identified another vulnerability in Arcadia’s code “due to the lack of untrusted input validation.” The lack of reentrancy protection, which safeguards against multiple simultaneous entries into the protocol, could open the door for hackers to sidestep the protocol’s internal vault health check:
“In addition, there is a lack of reentrancy protection, which allows for the instant liquidation to bypass the internal vault health check.”
PeckShield’s findings suggest that the bulk of the stolen funds were from the Optimism vault, roughly 180 Ether, which have been allegedly moved through Tornado Cash, a privacy-centric Ethereum mixing service. The ETH, however, with a value exceeding $103,000 at the time of reporting, remains static in the suspected hacker’s wallet.
Arcadia notified its community on Twitter that it is in contact with the hacker, looking to utilize its community and security options for a quick resolution.
For Arcadia Finance, the road to recovery will likely involve extensive analysis of its current security systems and the implementation of more stringent measures to prevent such breaches in the future:
“Our number one priority is recovering funds for Arcadia protocol users.”