Arcadia Finance hacked on Ethereum and Optimism for $455K

Using a code vulnerability, a criminal stole approximately $455k from the noncustodial decentralized finance (DeFi) protocol Arcadia Finance.

PeckShield, a blockchain investigator, notified Arcadia Finance of a hack and identified the cause as “the lack of untrusted input validation.”

Arcadia Finance code required no validation of untrusted input. Source: PeckShield

Supposedly, the code lacked a mechanism to cross-check unverified inputs. This vulnerability allowed the intruder to steal approximately $455k from the Ethereum (darcWETH) and Optimism (darcUSDC) vaults.

Two hours after PeckShield’s notification, Arcadia Finance verified the hack and halted the contracts to prevent further loss of funds. While investigations are ongoing, Arcadia’s code contains an additional vulnerability that, if exploited, could prove catastrophic for the protocol. Stating:

“In addition, there is a lack of reentrancy protection, which allows for the instant liquidation to bypass the internal vault health check.”

According to PeckShield, approximately 180 Ether’s worth of Optimism’s misappropriated funds have been cleaned up with Tornado Cash.

At the time of writing, however, the stolen Ethereum tokens worth over $103,000 remain lodged at the suspected wallet address. In the second quarter of 2023, breaches and exploits in the crypto space caused a loss of more than $300 million.

According to a report by blockchain security company CertiK, 212 security incidents were recorded during the quarter, culminating in a loss of $313,566,528 from Web3 protocols.

Compared to Q2 data from the previous year, CertiK discovered that crypto breaches decreased by 58%. The BNB Smart Chain had the highest number of incidents, with 119 incidents resulting in $70,711,385 in losses.