In a recent incident, decentralized finance (DeFi) protocol Arcadia Finance fell victim to a hack, resulting in the loss of approximately $455,000. The hacker exploited a code vulnerability within Arcadia’s system, specifically due to the lack of untrusted input validation. This allowed them to drain funds from both Ethereum (darcWETH) and Optimism (darcUSDC) vaults.
The hack was brought to light by blockchain investigator PeckShield, who identified the absence of a validation mechanism to verify unverified inputs as the root cause. Despite being alerted about the hack, Arcadia Finance has not yet responded to requests for comment.
Arcadia Finance acknowledged the hack two hours after being informed by PeckShield and promptly paused its contracts to prevent further fund losses. The protocol confirmed the potential exploit and mentioned ongoing investigations to determine the root cause, with collaboration from security experts.
Additionally, PeckShield highlighted another vulnerability in Arcadia’s code: the lack of reentrancy protection. This flaw allows for instant liquidation to bypass internal vault health checks, posing further risks to the protocol if exploited.
Most of the stolen funds, approximately 180 Ether (ETH), originated from Optimism and were subsequently laundered through Tornado Cash. However, the stolen tokens on Ethereum, valued at over $103,000 at the time of writing, remain held in the suspected wallet address.
This hack is part of a concerning trend in the crypto space, as reported by blockchain security company CertiK. In Q2 of 2023 alone, there were 212 security incidents, resulting in a cumulative loss of $313,566,528 across various Web3 protocols. However, compared to the previous year’s Q2 data, there was a 58% decline in crypto hacks.
Among the incidents, BNB Chain experienced the highest number of security issues, with 119 incidents resulting in losses amounting to $70,711,385.
As investigations continue into the Arcadia Finance hack, it is crucial for DeFi protocols to prioritize robust code validation and implement necessary security measures to protect user funds.