TL;DR
- A malicious contract was injected into Arcadia Financeās Rebalancer module, draining about $2.5 million in USDC and USDS within seconds by hijacking swap operations.
- The attacker exploited a flaw in Arcadiaās āswapDataā parameters to force rogue token swaps, then converted the stolen funds to WETH on Base and bridged them to Ethereum.
- Security firm Cyvers traced the breach, recommended blacklisting implicated addresses, and Arcadia urged users to revoke permissions as they work with forensic experts to recover funds.
Arcadia Finance, a decentralized protocol on the Base blockchain, suffered a devastating attack that drained user vaults of approximately $2.5 million in USDC and USDS. The breach occurred when an unknown exploiter injected a malicious contract into Arcadiaās Rebalancer module at 04:05:58 UTC. Within seconds, swap operations meant to keep user holdings balanced were hijacked, triggering unauthorized transfers that emptied liquidity pools in a single swift stroke.
Anatomy of the SwapData Vulnerability
At the core of the exploit lay a flaw in Arcadiaās handling of āswapDataā parameters. This mechanism instructs the protocol on how to execute token swaps during rebalancing events. By manipulating those parameters, the attacker forced the Rebalancer to execute rogue swaps, funneling stablecoins out of user vaults directly into the hackerās address.
Once funds were under their control, the assets were converted to Wrapped Ethereum (WETH) on Base and bridged to Ethereumās mainnet to obscure the money trail.
Quickfire Response from Arcadia and Cyvers
Blockchain security firm Cyvers was the first to publicly trace the exploit back to swapData abuse. In its alert, Cyvers urged immediate blacklisting of implicated addresses on both Base and Ethereum and recommended notifying major centralized exchanges and bridging services to freeze incoming transfers.
šØALERTšØToday, our system has detected a multiple suspicious transaction involving @ArcadiaFi on #Base with loss of 2.5M.
The exploiter seems to use arbitrary "swapData" on their rebalancer contract to execute the exploit.
All the stolen funds swapped to $ETH and bridged fromā¦ pic.twitter.com/IWhB4KY7Vu
— šØ Cyvers Alerts šØ (@CyversAlerts) July 15, 2025
Arcadiaās team swiftly confirmed the breach via a post on X, instructing all users to revoke any permissions granted to asset managers. They pledged further updates as they work alongside forensic specialists to recover stolen funds.
The team is aware of unauthorized transactions via a Rebalancer.
Remove all permissions for asset managers.
More information will follow.— Arcadia Finance (@ArcadiaFi) July 15, 2025
Lessons for the DeFi Ecosystem
This incident underscores the fragility of custom swap logic in automated market operations. SwapData vulnerabilities, while powerful for optimizing rebalancing, can create epicenters of risk if not rigorously audited.
As DeFi matures, projects must prioritize modular security reviews, third-party audits, and on-chain monitoring tools to detect anomalous swap patterns in real-time. For one of Baseās rising protocols, the road to redemption now hinges on transparent remediation and tighter safeguards against parametric exploits.
