Arcadia Finance suffers a $455,000 exploit, prompting contract halting and collaboration with security partners and law enforcement.
Important Points
- Arcadia Finance suffers a $455,000 exploit on Ethereum and Optimism networks, prompting contract halting and collaboration with security partners and law enforcement.
- PeckShield identifies vulnerability in Arcadia’s input validation and lack of reentrancy protection, allowing funds to be drained from vaults.
- Stolen funds from the Optimism network are laundered using Tornado Cash, while Ethereum funds remain in a flagged wallet address.
Arcadia Finance, a non-custodial decentralized finance (DeFi) protocol, has fallen victim to an exploit that resulted in the loss of $455,000 on both the Ethereum and Optimism networks. To address the hack, Arcadia has halted its contracts and is working with security partners to minimize the damage. Additionally, the platform has involved law enforcement to handle the issue.
Post Mortem of ongoing situation, providing a technical overview and sharing more information on next steps.https://t.co/NPNbbSzKBQ
— Arcadia Finance (@ArcadiaFi) July 10, 2023
Arcadia Under Attack
PeckShield, a blockchain security expert, was the first to notify Arcadia about the attack. According to PeckShield, the exploit was due to “the lack of untrusted input validation.” This vulnerability allowed funds to be drained from both the darcWETH and darcUSDC vaults. PeckShield also highlighted another weakness in the DeFi protocol, stating that there is a “lack of reentrancy protection.” This flaw enables instant liquidation to bypass the internal vault health check.
The stolen funds from the Optimism network portion were laundered using Tornado Cash, a controversial coin mixer. However, the Ethereum portion of the stolen funds, valued at over $103,000, remained in a flagged wallet address.
While Arcadia has not confirmed the root cause identified by PeckShield, the protocol has launched an investigation. In a recent statement, Arcadia stated, “We will continue to work with our security partners, law enforcement, and the broader community to resolve this as best we can. Our number one priority is recovering funds for Arcadia protocol users.”
Arcadia Finance and the DeFi Landscape
Arcadia Finance is a non-custodial, permissionless protocol that allows users to trade spot with leverage and boost staked ether. The platform was launched on Ethereum and Optimism in March of this year. However, the recent exploit is just one of many hacking incidents that have plagued the digital asset sector.
Beosin, a Web3 security firm, reported a loss of $470 million across 108 DeFi protocol attacks in the first quarter of 2023 alone. These incidents highlight the growing need for enhanced security measures within the DeFi space.
Arcadia Finance is determined to recover the stolen funds and has pledged to collaborate with security partners, law enforcement agencies, and the wider community to achieve this goal.