Arcadia Finance has joined the growing list of DeFi protocols to lose funds in hack exploitation. The hackers leveraged a code vulnerability to siphon about $455,000 from the protocol’s Ethereum and Optimism vaults.
Blockchain sleuth PeckShield alerted about Arcadia’s exploitation in a July 9 tweet. In the tweet, PeckShield also highlighted the cause of the attack.
Arcadia Finance Hacker Leveraged Contract Code Vulnerability to Sweep Funds
The tweet revealed that the attackers capitalized on “the lack of untrusted input validation” to carry out the illicit transaction. PeckShield noted that Arcadia Finance’s contract code lacked a validation mechanism to cross-check unverified inputs.
The loophole allowed the hacker to withdraw approximately $445,000 in crypto assets from the protocol’s Ethereum (darcWETH) and Optimism (darcUSDC) vaults.
Arcadia Finance has confirmed the hack attack, but lonely two hours after PeckShield’s update. The protocol noted that it paused the contracts to prevent further fund drainage.Â
The team disclosed that it is working with security experts to investigate the root-cause of the incident and will share more information as soon as it comes.
While investigations into the root cause of the attack continue, PeckShield made another striking revelation. The blockchain security firm said it found another vulnerability in Arcadia’s code, which hackers could explore to steal more funds.
“In addition, there is a lack of reentrancy protection, which allows the instant liquidation to bypass the internal vault health check,” PeckShield said.
Most of the stolen funds, about 180 ETH, came from the Optimism vault. And according to PeckShield’s data, the hackers have already laundered the funds via Tornado Cash.Â
But the stolen Ethereum, worth more than $103,000 at press time, is still in the suspected wallet address, as the hacker has yet to move it.
Q2 2023 Report On DeFi Hack Attacks
Hack exploitation on DeFi protocol has become increasingly problematic. In Q2 2023 alone, the DeFi space has lost over $300 million in crypto assets to hack attacks.
According to the blockchain security firm, CertiK’s quarterly report, Web3 protocols recorded 212 security breach incidents in Q2, leading to a loss of $313,566,528. However, CertiK discovered that crypto hack incidents declined by 58% from the $745 million recorded in Q2 2022.Â
According to CertiK, most hack attacks happened on the BNB Smart Chain, amounting to 119 hack incidents with $70,711,385 million in fund losses.Â
Ethereum, on the other hand, recorded 55 hack incidents, leading to $65,999,953 in losses.
In addition, losses from Oracle manipulation and flash loans drastically reduced in Q2 of 2023 than in the first quarter.Â
The first quarter of 2023 saw 52 Oracle manipulation attacks, with $222 million in losses. Of this lot, the Euler Finance hack attack accounted for 85%.Â
Â
Â
Arcadia Finance has joined the growing list of DeFi protocols to lose funds in hack exploitation. The hackers leveraged a code vulnerability to siphon about $455,000 from the protocol’s Ethereum and Optimism vaults.
Blockchain sleuth PeckShield alerted about Arcadia’s exploitation in a July 9 tweet. In the tweet, PeckShield also highlighted the cause of the attack.
Arcadia Finance Hacker Leveraged Contract Code Vulnerability to Sweep Funds
The tweet revealed that the attackers capitalized on “the lack of untrusted input validation” to carry out the illicit transaction. PeckShield noted that Arcadia Finance’s contract code lacked a validation mechanism to cross-check unverified inputs.
The loophole allowed the hacker to withdraw approximately $445,000 in crypto assets from the protocol’s Ethereum (darcWETH) and Optimism (darcUSDC) vaults.
Arcadia Finance has confirmed the hack attack, but lonely two hours after PeckShield’s update. The protocol noted that it paused the contracts to prevent further fund drainage.Â
The team disclosed that it is working with security experts to investigate the root-cause of the incident and will share more information as soon as it comes.
While investigations into the root cause of the attack continue, PeckShield made another striking revelation. The blockchain security firm said it found another vulnerability in Arcadia’s code, which hackers could explore to steal more funds.
“In addition, there is a lack of reentrancy protection, which allows the instant liquidation to bypass the internal vault health check,” PeckShield said.
Most of the stolen funds, about 180 ETH, came from the Optimism vault. And according to PeckShield’s data, the hackers have already laundered the funds via Tornado Cash.Â
But the stolen Ethereum, worth more than $103,000 at press time, is still in the suspected wallet address, as the hacker has yet to move it.
Q2 2023 Report On DeFi Hack Attacks
Hack exploitation on DeFi protocol has become increasingly problematic. In Q2 2023 alone, the DeFi space has lost over $300 million in crypto assets to hack attacks.
According to the blockchain security firm, CertiK’s quarterly report, Web3 protocols recorded 212 security breach incidents in Q2, leading to a loss of $313,566,528. However, CertiK discovered that crypto hack incidents declined by 58% from the $745 million recorded in Q2 2022.Â
According to CertiK, most hack attacks happened on the BNB Smart Chain, amounting to 119 hack incidents with $70,711,385 million in fund losses.Â
Ethereum, on the other hand, recorded 55 hack incidents, leading to $65,999,953 in losses.
In addition, losses from Oracle manipulation and flash loans drastically reduced in Q2 of 2023 than in the first quarter.Â
The first quarter of 2023 saw 52 Oracle manipulation attacks, with $222 million in losses. Of this lot, the Euler Finance hack attack accounted for 85%.Â
Â
Â