DeFi platform Arcadia Finance falls victim to a $455,000 Ethereum and Optimism hack

Source: Pixabay

Arcadia Finance has joined the growing list of DeFi protocols to lose funds to the hacking exploit. Hackers exploited a code vulnerability to siphon around $455,000 from the protocol’s Ethereum and Optimism vaults.

Blockchain detective PeckShield raised the alarm about Arcadia’s exploitation in a tweet on July 9. In the tweet, PeckShield also highlighted the cause of the attack.

Arcadia Finance Hacker Leveraged Contract Code Vulnerability to Sweep Funds

The tweet revealed that the attackers took advantage of “the lack of untrusted input validation” to carry out the illicit transaction. PeckShield noted that Arcadia Finance’s contract code lacked a validation mechanism to match unverified inputs.

The loophole allowed the hacker to withdraw approximately $445,000 worth of crypto assets from the Ethereum (darcWETH) and Optimism (darcUSDC) vaults of the protocol.

Arcadia Finance has confirmed the hack attack, but only two hours after the PeckShield update. The protocol noted that it halted the contracts to prevent a further drain on funds.

The team revealed that it is working with security experts to investigate the root cause of the incident and will share more information as soon as it is released.

As investigations into the root cause of the attack continue, PeckShield made another startling revelation. The blockchain security firm said it found another vulnerability in Arcadia’s code, which hackers could explore to steal more funds.

“In addition, there is a lack of re-entry protection, allowing instant settlement to bypass the internal vault health check,” PeckShield saying.

Most of the stolen funds, around 180 ETH, came from Optimism’s vault. And according to PeckShield’s data, the hackers have already laundered the funds through Tornado Cash.

But the stolen Ethereum, worth more than $103,000 at press time, is still at the suspected wallet address, as the hacker hasn’t moved it yet.

Q2 2023 Report on DeFi Hacking Attacks

The exploitation of hacks in the DeFi protocol has become increasingly problematic. In the second quarter of 2023 alone, the DeFi space has lost over $300 million worth of crypto assets due to hacking attacks.

According to blockchain security firm, CertiK’s quarterly publication reportWeb3 protocols reported 212 breach incidents in the second quarter, resulting in a loss of $313,566,528. However, CertiK found that crypto hacking incidents were down 58% from $745 million registered in the second quarter of 2022.

According to CertiK, most of the hacking attacks occurred on the BNB Smart Chain, which equates to 119 hacking incidents with $70,711,385 million in lost funds.

Ethereum, on the other hand, recorded 55 hacking incidents, resulting in losses of $65,999,953.

Additionally, Oracle handling losses and flash loans were down dramatically in Q2 2023 compared to Q1.

The first quarter of 2023 saw 52 Oracle tampering attacks, with $222 million in losses. Of this batch, the Euler Finance hack attack accounted for 85%.