DeFi protocol Rodeo Finance has seen its total value locked (TVL) drop from $20 million to less than $500 after a hacker used oracle manipulation to relieve it of more than $885,000 in ETH. This is the second major hack to hit Rodeo in the past week.
The Arbitrum-based protocol lost 472 ETH in Tuesday’s attack. The hacker exchanged 285 of the stolen tokens for unshETH before depositing it on Eth2 staking. The funds were moved via Tornado Cash.
The attack comes just days after Rodeo was exploited for nearly $90,000 by attackers exploiting a vulnerability in its mintProtocolReserves function. This latest exploit first was uncovered by blockchain security firm PeckShield, which tweeted Rodeo suggesting that it “may want to take a look.”
According to Cointelegraph, the attacker used “time-weighted average price oracle manipulation” which is how DeFi platforms calculate asset prices within a specific timeframe. This helps them to protect against market volatility.
However, it also allows hackers to manipulate prices.
- An attacker starts by borrowing a large amount of a particular asset.
- They then artificially tweak the price to buy the same asset at a lower price.
- Next, the exploiter returns their loan and takes the profits based on the low prices they set.
The address linked to the mystery attacker still apparently holds somewhere in the region of 374 ETH (over $700,000). The exploit has also negatively impacted the price of Rodeo Finance’s native RDO token which dropped more than 50% following the hack.
The exploit continues a run of bad luck for the Arbitrum network. In April, Arbitrum-based Sentiment saw $1 million stolen, and in May, Jimbos protocol lost $7.5 million. There have been a reported 21 exploits on Arbitrum since the start of the year, with total losses of over $20 million.