Rodeo Finance Exploited for $1.53 Million: Another Blow to Arbitrum-based DeFi Protocol

Arbitrum-based decentralized finance (DeFi) protocol Rodeo Finance has fallen victim to yet another exploit, losing a staggering $1.53 million. This incident, which occurred on July 11, marks the second time within a week that Rodeo Finance has been targeted by hackers. The exploit itself was carried out by exploiting a code vulnerability in the protocol’s Oracle system, resulting in the loss of more than 810 Ether (ETH).

According to data provided by PeckShield, a blockchain analytics firm, the attacker, after successfully breaching Rodeo Finance, proceeded to transfer the stolen funds from Arbitrum to Ethereum. Subsequently, the attacker swapped 285 ETH for unshETH, which was then deposited onto Eth2 staking. To further complicate the tracing of their movements, the culprit utilized Tornado Cash, a well-known mixer service that obscures the transaction’s footprint.

The exploit employed a technique known as time-weighted average price (TWAP) oracle manipulation. DeFi protocols commonly utilize TWAP oracles to calculate the average price of an asset during a specific time frame. This method helps mitigate potential price fluctuations resulting from market volatility. However, this system vulnerability allows bad actors to manipulate these oracles by artificially skewing the calculated average price of an asset, granting them the advantage needed to exploit the protocol during a transaction. Exploiters begin by borrowing a substantial amount of an asset and then artificially manipulating the price to purchase the same asset at a deflated rate. Once the loan has been returned, they profit from the low price achieved through these manipulations.

As of now, the exploiter’s wallet address still possesses over 374 ETH, with Etherscan linking the address to the Rodeo Finance exploit. Prior to the exploit, the DeFi protocol had locked in a total value of $20 million (TVL). However, following the attack, the TVL plummeted to below $500. Furthermore, the native token of Rodeo Finance experienced a severe price drop of over 53% within the past 24 hours.

This latest exploit on Arbitrum Network contributes to the long list of its vulnerabilities in 2023. Reportedly, there have been 21 recorded incidents of exploits on the network this year alone, resulting in a combined loss exceeding $20 million. With a total of $1.53 million stolen, this particular attack now ranks as the fifth largest exploit on Arbitrum in 2023. It is worth noting that Rodeo Finance was also previously targeted on July 5, with the hackers capitalizing on a vulnerability in the mintProtocolReserves function to steal approximately $89,000.

The impact of this breach not only extends to the protocol itself but also affects the wider DeFi community. Confidence in Rodeo Finance has been significantly undermined, and users may be hesitant to continue using the platform due to the perceived security risks. Additionally, this incident highlights the ongoing challenges faced by DeFi projects in securing their systems against increasingly sophisticated attacks.

In conclusion, the exploitation of Rodeo Finance for $1.53 million has once again highlighted the vulnerabilities present in DeFi protocols and the challenges faced in securing these platforms. The attack is a reminder of the need for constant vigilance and improved security measures within the DeFi ecosystem to protect user funds and maintain trust in these decentralized systems.