Arcadia Finance Hacker Exploits Reentrancy Vulnerability, Team Urges Return of Funds

The Arcadia Finance hacker utilized a reentrancy exploit to drain $455,000 from the decentralized finance (DeFi) protocol, according to a post-mortem report released by the app’s development team on July 10. A reentrancy exploit enables an attacker to interrupt or “reenter” a contract during a multi-step process, thereby impeding its proper completion.

The development team has sent a firm message to the hacker demanding the immediate return of the funds within 24 hours. Failure to comply could result in legal action against the culprit.

Read our post-mortem report explaining the ongoing incident, providing a technical overview, and discussing our next steps.
https://t.co/NPNbbSzKBQ

— Arcadia Finance (@ArcadiaFi) July 10, 2023

Arcadia Finance fell victim to an exploit on the morning of July 10, resulting in the loss of $455,000 worth of cryptocurrency. A preliminary analysis conducted by blockchain security firm PeckShield initially indicated that the attacker took advantage of a “lack of untrusted input validation” in the app’s contracts to drain the funds. However, the Arcadia team denied this claim, asserting that PeckShield’s analysis was incorrect. Nevertheless, the team did not provide a clear explanation for the cause of the exploit at that time.

The newly released Arcadia report reveals that the app’s “liquidateVault()” function did not include a reentrancy check. This allowed the hacker to execute the function before a health check was completed, but after the funds had already been withdrawn. Consequently, the attacker was able to borrow funds without repaying them, depleting the protocol’s assets.

The development team has temporarily halted the contracts and is actively working on a patch to address this vulnerability.

To execute the attack, the hacker initially acquired a flash loan worth $20,672 in USD Coin (USDC) from Aave, which was then deposited into an Arcadia vault. Subsequently, utilizing this vault as collateral, the hacker borrowed an additional $103,210 USDC from an Arcadia liquidity pool through the “doActionWithLeverage()” function, which allows users to borrow funds as long as their account remains healthy by the end of the block.

The attacker then deposited the borrowed $103,210 into the vault, resulting in a total of $123,882. Afterward, the funds were completely withdrawn from the vault, leaving it with zero assets and $103,210 in debt.

In theory, this series of actions should have triggered a reversion, as withdrawing the funds should have caused the account to fail the health check. However, the attacker cleverly employed a malicious contract to call the “liquidateVault()” function prior to the initiation of the health check. As a result, the vault was liquidated, eliminating all debts. Consequently, the vault had zero assets and liabilities, enabling it to pass the health check.

Since the account passed the health check after the completion of all transactions, none of the actions were reverted, and a total of $103,210 was drained from the pool. Remarkably, the hacker repaid the loan from Aave within the same block. This exploit was conducted multiple times, resulting in a total loss of $455,000 from pools on Optimism and Ethereum.

In their report, the Arcadia team refuted claims suggesting that the exploit was caused by untrusted input. They stated that this supposed vulnerability was not the primary issue that led to the attack.

Related: Circle, Tether Freezes Over $65M in Assets Transferred from Multichain

In an effort to communicate with the attacker, the Arcadia team utilized the input data field of an Optimism transaction. Their message read as follows:

“We are aware of your involvement in the Arcadia Finance exploit. We are actively collaborating with security experts and law enforcement. Your rapid deposits and withdrawals on BNB make it difficult to conceal your online identity in this day and age. If the funds are not returned within the next 24 hours, we will escalate this matter to law enforcement.”

According to the report, Arcadia claims to have made some promising progress in tracking down the hacker. They state, “In addition to identifying addresses associated with centralized exchanges, we have also discovered connections to previous exploits involving other protocols. Our team is conducting a thorough investigation utilizing both on-chain and off-chain data, and we have multiple leads.”

Exploits and scams continue to plague the DeFi space in 2023. A report from CertiK published on July 5 revealed that over $300 million was lost due to exploits during the second quarter of the year.

Collect this article as an NFT to preserve this significant moment in history and demonstrate your support for independent journalism in the crypto space.