Arcadia Finance says exploiter contacted after $450K hack

DeFi protocol Arcadia Finance has alerted users that it lost $455,000 in a hack, which blockchain security firm PeckShield says was made possible due to vulnerabilities in Arcadia’s code.

Non-custodial, permissionless protocol Arcadia Finance launched on Ethereum and Optimism in March. It allows users to trade spot with leverage and boost staked ether.

PeckShield flagged the exploit on Twitter early Monday morning. “Our analysis shows that the [Arcadia Finance] hack is due to the lack of untrusted input validation,” the blockchain security firm posted, “which is exploited to drain funds from both darcWETH and darcUSDC vaults.”

  • PeckShield says that the exploiter on Optimism transferred 180 ether ($305,000) and washed most of it through Tornado Cash.
  • The exploiter on Ethereum took roughly $100,000, which remains in the wallet at press time.
  • Arcadia Finance’s total value locked (TVL) has sharply dropped by 77% since the protocol hack, from $605,000 to $140,000 at press time.

According to the firm, Arcadia Finance is vulnerable to other exploits. It has “a lack of reentrancy protection, which allows for the instant liquidation to bypass the internal vault health check,” PeckShield warned.

The flow of stolen funds according to PeckShield.

Read more: Latest round of DeFi exploits display its wide range of vulnerabilities

The Arcadia Finance hack comes amid a wave of DeFi exploits. Over $470 million was lost to 108 protocol attacks in the first half of the year, according to a June 30 report by web3 security firm Beosin. However, the DeFi industry has experienced a sharp decrease in the amount of funds lost; in the first half of 2022, protocols lost a combined $1.9 billion.

Arcadia Finance hack: Exploiter has been contacted

Arcadia Finance confirmed the hack two hours after PeckShield’s first alert. It assured users it was looking into the situation.

“We have paused the contracts and are investigating the root-case with security experts as we speak,” the DeFi protocol said. “More info will follow as it comes available.”

Two hours after that, Arcadia Finance updated its users on Twitter. “We have initiated contact with the attacker,” it announced. “We will continue to work with our security partners, law enforcement, and the broader community to resolve this as best we can.

Our number one priority is recovering funds for Arcadia protocol users,” the firm said.

This is an unfolding story. Protos will update this piece as news comes to light.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on TwitterInstagramBluesky, and Google News, or subscribe to our YouTube channel.