Arcadia Finance attacker used reentrancy exploit to drain $455,000 from decentralized finance (DeFi) protocol, according to July 10 post-mortem report published by the app development team. A “reentrancy exploit” is a bug that allows an attacker to “re-enter” a contract or break it during a multi-step process, preventing the process from completing successfully.
The team sent a message to the attacker demanding the return of funds within 24 hours and threatening police action if the hacker does not comply.
Post-mortem of the current situation, providing technical insight and sharing more information on next steps.https://t.co/NPNbbSzKBQ
— Arcadia Finance (@ArcadiaFi) July 10, 2023
Arcadia Finance was mined on the morning of July 10 and drained of $455,000 worth of crypto. A preliminary report from blockchain security firm PeckShield said the attacker used a “lack of untrusted input validation” in the app’s contracts to drain funds. The Arcadia team had denied this, saying PeckShield’s analysis was flawed. However, the team did not explain what they believed to be the cause at the time.
The new Arcadia report stated that the application’s “liquidateVault()” function did not contain a reentrancy check. This allowed the attacker to call the function before a health check was completed, but after the attacker had withdrawn funds. As a result, the attacker could borrow funds and not repay them, draining them from the protocol.
The team has now suspended contracts and is working on a fix to close the loophole.
The attacker first took out a flash loan from Aave worth $20,672 in USD Coin (USDC) and deposited it in an Arcadia vault. Then the hacker used this vault collateral to borrow $103,210 USDC from an Arcadia liquidity pool. This was accomplished through a “doActionWithLeverage()” function that allows users to borrow funds only if their account can remain healthy at the end of the block.
The attacker deposited the $103,210 into the safe, bringing the total funds to $123,882. The hacker then withdrew all funds, leaving the vault with no assets and $103,210 in debt.
Theoretically, this should have caused all actions to be undone, as withdrawing the funds should have caused the account health check to fail. However, the attacker used a malicious contract to call liquidateVault() before the health check could begin. The safe was liquidated, eliminating all its debts. As a result, he ended up with zero assets and zero liabilities, which allowed him to pass the health check.
Since the account passed the health check after all trades were completed, none of the trades were rolled back and the pool was emptied of $103,210. The striker repaid Aave’s loan in the same block. The hacker repeated this feat several times, draining a total of $455,000 from the pools on Optimism and Ethereum.
In its report, the Arcadia team pushed back against claims that the exploit was caused by untrusted input, stating that this alleged vulnerability was not “the main problem” with the attack.
Related: Circle, Tether freezes over $65 million in assets transferred from Multichain
The Arcadia Team job a message to the attacker using the input data field of an Optimism transaction, stating:
“We understand that you are involved in the Arcadia Finance exploit. We are actively working with security experts and law enforcement. Your TC deposits and withdrawals on BNB were a bit too fast, it’s hard to hide your identity online these days We will escalate this with law enforcement if no funds are returned within the next 24 hours.
In its report, Arcadia claimed to have found promising leads to track down the striker. “In addition to obtaining addresses linked to centralized exchanges, we also discovered links to prior exploits of other protocols,” the report said. “The team is investigating both on-chain and off-chain data to its full extent and has several leads.”
Exploits and scams have been a persistent problem in the DeFi space in 2023. A July 5 report from CertiK said over $300 million was lost to exploits in the second quarter of the year.
