DeFi Protocol Arcadia Finance Hacked, Losing $455K on Ethereum and Optimism

 

Decentralized finance (DeFi) protocol Arcadia Finance has fallen victim to a hack, resulting in the loss of approximately $455,000. Exploiting a vulnerability in the code, the hacker drained funds from Arcadia's Ethereum and Optimism vaults. This incident highlights the ongoing security challenges faced by the DeFi space and the need for robust measures to protect user funds.

Code Vulnerability and Exploitation

PeckShield, a blockchain investigator, discovered the hack and identified the lack of untrusted input validation as the root cause. The code used by Arcadia Finance reportedly lacked a mechanism to verify unverified inputs, allowing the hacker to exploit this loophole and drain funds from the Ethereum (darcWETH) and Optimism (darcUSDC) vaults. 

Arcadia Finance code required no validation of untrusted input. Source: PeckShield

 

Response and Mitigation

Arcadia Finance acknowledged the hack two hours after being alerted by PeckShield and promptly paused the contracts to prevent further loss of funds. Investigations into the incident are currently underway. However, it is worth noting that the protocol still contains another vulnerability that, if exploited, could have severe consequences. PeckShield pointed out the lack of reentrancy protection, which enables instant liquidation to bypass internal vault health checks.

Stolen Funds and Post-Hack Actions

The majority of the stolen funds, approximately 180 Ether, were taken from Optimism and subsequently laundered through Tornado Cash. However, the stolen tokens on Ethereum, valued at over $103,000 at the time of writing, remain parked in the suspected wallet address. Recovering the stolen funds and addressing the security vulnerabilities will be key priorities for Arcadia Finance moving forward.

DeFi Security Challenges and Industry Trends

The hack suffered by Arcadia Finance adds to a series of security incidents and exploits that have plagued the crypto space in the second quarter of 2023. According to a report from CertiK, a blockchain security company, a total of 212 security incidents resulted in a cumulative loss of $313,566,528 from Web3 protocols during that period. However, the report also noted a 58% decline in crypto hacks compared to the same quarter of the previous year. Among the incidents, BNB Chain experienced the highest number, with 119 incidents leading to losses of $70,711,385.

Conclusion

The hack on Arcadia Finance underscores the ongoing security challenges faced by DeFi protocols. The exploit of code vulnerabilities highlights the importance of comprehensive security measures and rigorous audits to protect user funds. As the DeFi industry continues to evolve, it is crucial for protocols to prioritize security to maintain user trust and safeguard the long-term success of the ecosystem.