Arcadia Finance, a decentralized finance (DeFi) protocol, recently suffered a security breach resulting in the theft of $455,000 worth of cryptocurrency. The development team released a post-mortem report revealing that the attacker exploited a reentrancy vulnerability to drain the funds. A reentrancy exploit allows an attacker to interrupt a contract during a multi-step process, preventing its correct completion.
The attack involved liquidating a vault in Arcadia Finance before it could undergo a health check, disrupting the normal flow of operations. This allowed the attacker to borrow funds without repayment, draining them from the protocol. The team has demanded the return of the stolen funds within 24 hours and threatened to involve law enforcement if the attacker fails to comply.
Initial analysis by blockchain security firm Peckshield suggested that the attack was due to a lack of untrusted input validation in Arcadia Finance’s contracts. However, the Arcadia team refuted this claim, emphasizing that Peckshield’s analysis was inaccurate. In their post-mortem report, the team clarified that the absence of a reentrancy check in the “liquidateVault()” function enabled the exploit. They have since paused the contracts and are actively working on a patch to address the vulnerability.
The attacker executed a series of steps to carry out the exploit effectively. They initially obtained a flash loan from Aave and deposited it into an Arcadia vault. Utilizing the borrowed collateral, they proceeded to borrow a significant amount from an Arcadia liquidity pool using the “doActionWithLeverage()” function. By manipulating the timing and utilizing a malicious contract, they managed to pass the health check and subsequently liquidate the vault, wiping out its debts. Through multiple iterations of this exploit, the attacker drained a total of $455,000 from pools on Optimism and Ethereum.
In response to the attack, Arcadia Finance’s team left a message for the attacker through an Optimism transaction, asserting their collaboration with security experts and law enforcement. They warned that failure to return the funds within 24 hours would result in escalated legal action. The team expressed confidence in tracking down the attacker, citing leads obtained from both on-chain and off-chain data, including links to previous exploits.
This incident adds to the growing concerns surrounding exploits and scams in the DeFi space during 2023. A report by Certik revealed that over $300 million was lost due to exploits in the second quarter of the year, emphasizing the need for enhanced security measures within the cryptocurrency ecosystem.