By exploiting a code vulnerability in the Arcadia Finance DeFi protocol, a hacker managed to drain approximately $455K.
The hack on Arcadia Finance was alerted by PeckShield, a blockchain investigator, according to which, the issue lies in the lack of validation of untrusted input. The apparent lack of a validation mechanism in the code, to cross-check the unverified inputs, led to this loophole, which allowed the hacker to drain around $455k from Optimism (darcUSDC) Ethereum (darcWETH) vaults.
PeckShield: Arcadia Finance code required no validation of untrusted input.
Two hours after PeckShield’s report, Arcadia Finance confirmed the hack and temporarily paused the contracts, to prevent further drainage of funds. Arcadia Finance noted in their tweet:
“We are aware of a potential exploit in our protocol. We have paused the contracts and are investigating the root-cause with security experts as we speak. More info will follow as it comes available.”
As the investigation continues, PeckShield noticed another code vulnerability, which can potentially lead to catastrophic outcomes for the protocol if exploited. PeckShield commented on the issue:
“In addition, there is a lack of reentrancy protection, which allows for the instant liquidation to bypass the internal vault health check.”
Most of the stolen funds came from Optimism, around 180 ETH (Ether), and were washed via Tornado Cash. Although, the stolen tokens from Ethereum, worth over $103k, seem to remain still on the suspected wallet address.
Exploits and hacks have already caused losses of over $300 million in the crypto industry, according to Q2 data of 2023.
Meanwhile, CertiK, a blockchain security company, reported on the 212 security incidents that were recorded in the quarter, which resulted in a total loss of over $313 million from Web3 protocols.
On the contrary, when compared to Q2 data from last year, CertiK recorded that cyber-attacks declined by 58%. Most incidents were recorded on BNB Chain, 119 attacks lead to losses reaching $70,8 million.