Arcadia Finance, a decentralized finance (defi) protocol, has experienced a major setback after being targeted by a code exploit, resulting in a substantial loss of around $455,000. The breach was initially discovered by PeckShield, a blockchain security firm, which identified a coding oversight related to untrusted input validation as the main cause of the vulnerability. By exploiting this coding loophole, a hacker successfully drained funds from Arcadia’s Ethereum and Optimism vaults, placing the defi protocol in a precarious situation.
The company acknowledged the breach on Twitter and promptly suspended the affected contracts to mitigate any further losses. PeckShield’s investigation also uncovered an additional vulnerability in Arcadia’s code, highlighting the absence of untrusted input validation and reentrancy protection. The lack of reentrancy protection enabled hackers to bypass the internal vault health check, facilitating instant liquidation.
According to PeckShield’s findings, a significant portion of the stolen funds, approximately 180 Ethereum (ETH), originated from Arcadia’s Optimism vault. It appears that these funds were funneled through Tornado Cash, an Ethereum-based mixing service. However, the stolen ETH, valued at over $340,000 at the time of writing, remains stagnant in the suspected hacker’s wallet.
This exploit is the latest addition to a string of notable attacks in the defi space. Just days before, the Multichain hack resulted in a staggering $130 million being stolen. In response, stablecoin issuers Tether and Circle took action by blacklisting five addresses associated with the stolen funds. Earlier in the month, the Poly Network also fell victim to a $5.5 million exploit, further underscoring concerns about the security of defi protocols.
Arcadia Finance has been actively engaging with the hacker, leveraging its community and security resources to expedite a resolution. The protocol has emphasized its commitment to recovering funds for its users as its top priority. To rebuild trust and enhance security, Arcadia Finance is expected to conduct a comprehensive analysis of its existing security systems and implement more stringent measures to prevent future breaches.
The impact of this breach is already evident, as DeFiLlama, a defi TVL aggregator, reported a significant 76% drop in Arcadia Finance’s total value locked (TVL). Within a short period, the TVL plummeted from $605,000 to $143,000.