Contents
A new crypto hack was discovered today: this time the DeFi Arcadia Finance protocol on the Ethereum and Optimism chains was successfully attacked.
PeckShieldAlert broke the news on Twitter, reporting that the hack netted the attackers about $455,000.
#PeckShieldAlert Our community contributor has detected that @ArcadiaFi has been exploited on both #Ethereum and #Optimism for ~$455K
The exploiter on #Ethereum was frontrun by 0x5C75e94dD0Ab9c10BFd1B8073DafEF031D3c050dhttps://t.co/blGx5IEAkk
The exploiter on #optimism… pic.twitter.com/WDzF0XVcmL
— PeckShieldAlert (@PeckShieldAlert) July 10, 2023
The hack was also later confirmed by the operators of Arcadia Finance themselves.
We are aware of a potential exploit in our protocol.
We have paused the contracts and are investigating the root-cause with security experts as we speak. More info will follow as it comes available.— Arcadia Finance (@ArcadiaFi) July 10, 2023
After a few hours, they reported that they were able to make contact with the hacker, and that they were working together with their security partners, law enforcement, and the community to solve the problem as best they could in an effort to recover funds for protocol users.
The bug that led to the crypto hack
According to PeckShield, the hack to Arcadia Finance’s smart contract was due to untrusted input validation being exploited to drain funds from darcWETH and darcUSDC reserves.
darcWETH and darcUSDC are two wrapped Arcadia Finance tokens, so they each hold reserves.
Theoretically for every darcWETH token there should be a WETH token in the reserves, and for every darcUSDC token there should be a USDC token.
Evidently the smart contract that manages the reserves of these two wrapped tokens had a bug that attackers were able to exploit.
Furthermore, PeckShield discovered a lack of re-entry protection in these smart contracts, which in this way allowed the instant settlement to bypass the internal state check of the reserves manager.
In addition, there is a lack of reentrancy protection, which allows for the instant liquidation to bypass the internal vault health check. pic.twitter.com/Am58ZOvgQJ
— PeckShield Inc. (@peckshield) July 10, 2023
To be fair, Arcadia later refuted this reconstruction, but was unable to provide an alternative explanation.
Most of the funds were stolen from Optimism’s chain, and they were then moved thanks to Tornado Cash in order to lose track of them.
The Arcadia Finance protocol
Arcadia Finance is a DeFi protocol on Ethereum and Optimism that does not have its own native token.
Before the hack, its TVL was about $600,000, while after the theft it plummeted to $145,000.
This is a non-custodial protocol that allows for the composition of on-chain cross-margin accounts.
Users of these margin accounts can collateralize entire wallets, access up to 10 times more capital than their initial collateral value, and use the deposited collateral and borrowed capital to interact with any other DeFi protocol in a permissionless manner.
Lenders provide liquidity to Arcadia’s loan pools, earning passive returns.
Being non-custodial, the hackers were not able to steal funds directly from users’ wallets, but rather from those used as reserves for issuing the wrapped tokens darcWETH and darcUSDC.
Thus, no darcWETH or darcUSDC were stolen directly from users’ wallets, but WETH and USDC were stolen from the wallets on which the reserves were held. This means that there is no longer 1 WETH for every darcWETH issued, and 1 USDC for every darcUSDC issued, so effectively users still have all their wrapped tokens but can no longer redeem them.
The problem with wrapped tokens
It is often said that non-custodial wallets are safe, if stored and maintained properly, but sometimes the risks lie upstream.
Indeed, for any non-custodial wallet there is little difference in storing original tokens, such as USDC, or wrapped tokens, such as darcUSDC.
However, wrapped tokens have an additional layer of risk. In fact, the custody of the collateral is not done by the users themselves on their non-custodial wallets, but by the managers of the wrapped tokens.
In fact, this is not very different from a custodial wallet, since custody of the collateral is in some ways equivalent to custody of the wrapped tokens.
Therefore even if the wallets of users holding wrapped tokens are not breached, in the event of a breach of the reserve wallets, users can still lose their funds, simply because while they still have the wrapped tokens they can no longer redeem them. Their actual value in this way effectively goes to zero.
This actually applies to USDC as well, because while it is not a wrapped token it is a collateralized stablecoin, meaning it has reserves as collateral, which is held and managed by a single entity (Circle).
The impact on crypto markets of the hack that occurred
The impact on the crypto markets of this hack has been almost zero, if we exclude the wrapped tokens darcWETH and darcUSDC.
OP, which is Optimism’s native token, has also not suffered serious losses, so much so that its price today moved in line with those of many other similar tokens.
Then again, $455,000 is not that much, and by now the crypto markets have developed a habit of this kind of theft on DeFi protocols.
Moreover, DeFi is not about Bitcoin, and right now it is Bitcoin that is dictating the trend in the crypto markets.
Situations like this one only serve to provide a better understanding of the risks involved when using DeFi protocols, especially when they are hidden as in the case of wrapped tokens.
Something much worse had happened in March, when it was discovered that Circle held a significant portion of USDC reserves on the failed Silvergate bank, so much so that for a moment it was feared that the stablecoin might lose its peg with the dollar.
But then the US central bank intervened directly to cover all the shortfalls, thereby giving all Silvergate depositors back all their funds.