- Rodeo Finance, an Arbitrum-based DeFi protocol, lost $1.53 million due to a code vulnerability
- The hack resulted in a loss of 472 ETH, equivalent to around $888,000 million.
- The exploit was facilitated by a code vulnerability found within Rodeo’s Oracle system, allowing the attacker to exploit and manipulate the protocol’s functionalities.
Arbitrum-based decentralized finance Rodeo Finance, recently suffered a significant security breach resulting in a hack that amounted to $1.5 million. On a fateful day, Rodeo Finance fell victim to a sophisticated attack, where malicious actors exploited vulnerabilities in the protocol’s smart contracts to gain unauthorized access and drain funds.
The hackers successfully syphoned off approximately $1.5 million worth of cryptocurrency assets, causing substantial financial damage to the protocol and its users.
The recent hack that targeted Rodeo Finance resulted in the loss of approximately $888,000 million, which translates to 472 ETH. The exploit took advantage of a code vulnerability within Rodeo’s Oracle, allowing the hacker to execute their attack.
According to blockchain analytics firm PeckShield, the hacker initiated a series of transactions to obfuscate the stolen funds. After transferring the stolen funds from Arbitrum to Ethereum, they proceeded to exchange 285 ETH for unshETH.
Following the swap, the hacker deposited a portion of the funds into Eth2 staking and sent 150 ETH to Tornado Cash, a popular mixer service used to obscure the transaction trail.
PeckShield subsequently confirmed that the precise amount involved in the hack was 472 ETH, thereby reaffirming the calculated loss of approximately $888,000.
These details provide a clearer understanding of how the hacker executed the exploit and attempted to conceal their tracks during the subsequent movement of the stolen funds.
The attacker utilized the “Investor.earn()” function within Rodeo Finance to orchestrate the exploit.
They initiated a swap from Rodeo’s interest-bearing USDC pool by forcefully triggering the function. Investor.earn()” function within Rodeo Finance allowed a swap from the USDC pool, withdrawing WETH and manipulating the price of their ETH holdings by swapping it for unshETH.
The invalid slippage control mechanism enabled the attacker to take advantage of an inaccurate market value during the swap.
In reaction to this terrible incident, the protocol published an official statement to its users, providing information about the situation and assuring them that measures are being made to recover the stolen assets.
Rodeo Finance indicated that it was committed to fixing the issue and that it has engaged the assistance of various auditors to examine the incident. According to the statement, around $880,000 was stolen from the lending pool, however approximately $810,000 of the stolen monies were successfully restored.
During the year 2023, the Arbitrum Network has witnessed a concerning number of security incidents, with a total of 21 recorded exploits reported. These incidents involved various forms of exploits occurring within the network.
One notable incident took place in May, where Jimbos Protocol, a liquidity platform built on the Arbitrum Network, suffered a significant exploit shortly after the release of Version 2.