Exploitation of Arbitrum-based Rodeo Finance Leads to Stolen $1.5M in Crypto

Exploiting Rodeo Finance

On July 11, the decentralized finance (DeFi) protocol Rodeo Finance was exploited for $1.53 million using a code vulnerability in its Oracle. This led to a loss of over 810 Ether (ETH).

According to blockchain analytic firm PeckShield, the attacker then bridged the stolen funds from Arbitrum to Ethereum and swapped 285 ETH for unshETH. Next, the ETH was deposited on Eth2 staking, and the attacker utilized the popular mixer service Tornado Cash as an exit route to obscure the transaction’s footprint.

The attacker took advantage of time-weighted average price oracle manipulation, which is used by DeFi protocols to calculate the average price of an asset and reduce price fluctuation due to market volatility. However, this vulnerability can be exploited by attackers who artificially skew the calculated average price of an asset, thus gaining an advantage to exploit the protocol during a transaction.

In the crypto space, Shiba Inu (SHIB), Sandbox (SAND), Graph (GRT), FTX (FTX), Jupiter (JUP), Dogecoin (DOGE), Deso (DESO), Livepeer (LIVE) and Luna (LUNA) are some of the latest tokens that are being traded.

Exploiting Crypto Assets

An exploiter can borrow a large sum of a crypto asset, such as SHIBA INU or GRT, and then manipulate the price to buy it back at a deflated rate. By returning the loan, the exploiter can make a profit from the low price they created.

The wallet address associated with the Rodeo exploit currently holds over 374 ETH, and Etherscan has marked it as linked to the exploit. This caused the DeFi protocol’s total value locked (TVL) to drop from $20 million to below $500.

The exploit also caused the native token of the DeFi protocol to tank, dropping over 53% in the past 24 hours.

In 2023 alone, there have been 21 recorded incidents of some form of exploit on the Arbitrum Network. The latest exploit of $1.53 million makes it the fifth largest recorded on Aribitrum in 2023. Rodeo Finance was also exploited on July 5 for around $89,000 due to a vulnerability in their mintProtocolReserves function.

Collect this article as an NFT to preserve this moment in history and show your support for independent journalism in the crypto space, such as Shiba Inu, Shib Crypto, Sandbox Crypto, GRT Crypto, Crypto FTX, Jupiter Crypto, Crypto Dogecoin, Deso Crypto, Live Crypto, and Luna Crypto.