A recent DeFi hack on Rodeo Finance raises concerns about Arbitrum’s vulnerability.
Rodeo Finance, a recently launched project on the Arbitrum ecosystem, fell victim to a devastating hack on July 11. The exploit was discovered by PeckShield, a prominent blockchain security firm.
According to the initial estimate, the incident resulted in approximately $1.53M worth of ETH. However, PerckShield’s latest update indicated the total loss was 472 ETH ($888K)
Jump Ahead To:
Rodeo Finance Hacked
According to PeckShield’s explanation, the hack, described as a “ForceInvestment” attack, exploited a flaw in Rodeo Finance’s Investor.earn() routine. This flaw allowed the attackers to force a swap of $USDC to $WETH and then to $unshETH.
Unfortunately, due to a flawed $unshETH price oracle, the slippage control mechanism failed to take effect as intended, enabling the hackers to siphon the stolen ETH from the Arbitrum network to the Ethereum network.
The hackers proceeded with their illicit activities by swapping 285 ETH into unshETH staked tokens and then uploading them to Ankrstaking. Additionally, they transferred 150 ETH to Tornado Cash, a crypto-mixing protocol.
Tornado Cash is no stranger to crypto insiders. The platform’s ability to remove transactional traces complicates the efforts to track the stolen funds.
Igor Igamberdiev, the Head of Research at Wintermute, sheds light on the hackers’ modus operandi. The attackers exploited the TWAP (Time-Weighted Average Price) Oracle manipulation to target Rodeo Finance.
The TWAP oracle calculates the average price of an asset over a fixed time frame, aiming to mitigate excessive price volatility. In this case, the attackers manipulated the TWAP oracle to create a fake price, enabling them to profit from the resulting fraudulent arbitrage.
Rodeo Finance recently stole the limelight after launching on Arbitrum mainnet. The project has been backed by a solid community and is an important piece of the LSDfi (Liquid Staking Derivatives in DeFi) ecosystem, a recent hype in DeFi.
Following the hack, Rodeo Finance’s native token, RDO, experienced a drastic 60% drop in price. The project team has yet to respond to this distressing exposure.
Is Arbitrum Playground Secure Enough?
This recent incident follows a series of similar security breaches in the Arbitrum ecosystem. Earlier this month, an Arbitrum software error halted transaction processing. Previously, on May 20, hjaySwap experienced a rug pull resulting in a loss of $3 million, and on May 28, Jimbos Protocol reported a $7.5 million hack.
Questions are arising within the community regarding the reliability and security of projects built on the Arbitrum ecosystem, as an increasing number of scams, rug pulls, and attacks have been reported.
Apart from that, the DeFi landscape has been a consistent target of multiple illegal activities. Millions of dollars have vanished from wallets following DeFi hacks in previous months.
- The most significant loss of funds came from the flash loan attack on Avalanche’s Platypus DeFi protocol in February. The attackers stole $8.5 million in user funds. Immediately after the attack, two subjects tied to this hack were reportedly under arrest.
- Other hacks in February include the attack on the dForce network ($3.6 million)
- The Hope Finance smart contract ($1.86 million), and the Orion protocol exploits ($3 million).
- March started with a massive loss of money by ArbiSwap, a newly launched platform. On March 2, they reported a loss of about $100,000.
- In addition, PeckShield discovered a vulnerability on March 1. The hackers took advantage of a flaw in the SwapXProxy token approval function by deploying a new implementation that declared a fraudulent contract address. PeckShield reported that the ongoing phishing attack has resulted in the theft of up to $700,000.
These hacks highlight the need for increased security in the DeFi ecosystem. DeFi protocols are often complex and can be vulnerable to attack. The impact of such hacks extends beyond immediate financial losses, shaking investor confidence and raising doubts about the integrity of emerging projects and their chosen ecosystems.