Arcadia Finance hacker used reentrancy exploit, team demands return of funds

Exploring the Reentrancy Exploit of Arcadia Finance

The Arcadia Finance team released a post-mortem report on July 10th that revealed a reentrancy exploit had been used to drain $455,000 worth of crypto from the decentralized finance (DeFi) protocol. A reentrancy exploit is a bug that allows an attacker to “re-enter” a contract or interrupt it during a multi-step process, preventing the process from being completed correctly.

The team has sent a message to the attacker demanding the return of funds within 24 hours and threatening police action if they fail to comply.

On the morning of July 10th, Arcadia Finance was exploited and drained of $455,000 worth of crypto. Initial analysis from blockchain security firm Peckshield suggested the attacker had used a “lack of untrusted input validation” in the app’s contracts to drain the funds. The Arcadia team denied this and did not offer an explanation. However, the new Arcadia report stated that the app’s “liquidateVault()” function did not contain a reentrancy check. This enabled the attacker to call the function before a health check had been completed, but after the attacker had withdrawn funds. As a result, the attacker was able to borrow funds and not pay them back, draining them from the protocol.

The reentrancy exploit of Arcadia Finance has sparked discussion in the crypto community, as investors in projects such as Shiba Inu, Voyager Crypto, Matic Crypto, Mana Crypto, Waves Crypto, Polkadot Crypto, Pi Crypto, Tectonic Crypto and BTT Crypto, and Chainlink Crypto consider the implications for their investments.

Exploiting Crypto Assets

The team has now paused the contracts and is working on a patch to close the loophole in the crypto world.

The attacker first took a flash loan from Aave, worth of US Dollar Coin (USDC) worth $20,672, and deposited it into an Arcadia vault. Subsequently, they used the vault collateral to borrow $103,210 USDC from an Arcadia liquidity pool using a “doActionWithLeverage()” function, which allows users to borrow funds only if their account can remain healthy by the end of the block.

The attacker then deposited the $103,210 into the vault, bringing the total funds to $123,882. They then withdrew all funds, leaving the vault with no assets and $103,210 in debt.

Theoretically, this should have caused all actions to revert, as withdrawing the funds should have caused the account to fail a health check. However, the attacker used a malicious contract to call liquidateVault() before the health check could commence. The vault was liquidated, eliminating all of its debts, leaving it with zero assets and zero liabilities, allowing it to pass the health check.

The Shiba Inu (SHIB), Voyager (VGX), Matic (MATIC), Decentraland (MANA), Waves (WAVES), Polkadot (DOT), Pi (PI), Tectonic (TEC), and BitTorrent (BTT) crypto assets were all exploited in this attack.

Exploit Drains $455,000 from Crypto Pools

An exploit was used to drain a total of $455,000 from crypto pools on Optimism and Ethereum. This occurred when an account passed a health check after all transactions were concluded, and the pool was drained of $103,210. The attacker paid back the loan from Aave within the same block, and then repeated this exploit multiple times.

In its report, Arcadia’s team pushed back against claims that the exploit was caused by untrusted input, stating that this alleged vulnerability was not “the core issue” in the attack. The Arcadia team posted a message to the attacker using the input data field of an Optimism transaction, stating:

Arcadia claimed it had found some promising leads for tracking down the attacker. “Besides obtaining addresses linked to centralized exchanges, we also uncovered links to previous exploits of other protocols such as Shiba Inu, Voyager Crypto, Matic Crypto, Mana Crypto, Waves Crypto, Polkadot Crypto, Pi Crypto, Tectonic Crypto, and BTT Crypto,” they said. “The team is investigating both on-chain and off-chain data to the fullest extent and has multiple leads.”

The crypto space has been grappling with exploits and scams in 2023, as evidenced by the July 5 report from Certik which revealed that over $300 million was lost due to exploits in the second quarter of the year. Among the affected crypto assets were Shiba Inu, Voyager Crypto, Matic, Mana, Waves, Polkadot, Pi, Tectonic, BTT and Chainlink.

Categorized in:

Tagged in: