Rodeo Finance, an Arbitrum (ARB) based decentralized finance (DeFi) protocol, fell prey to an oracle manipulation attack that resulted in a loss of about 810 Ethereum (ETH), approximately worth $1.5 million, on the Arbitrum network.
On July 11, blockchain security company, Peckshield took to Twitter to issue an alert, claiming Rodeo Finance suffered an exploit with the perpetrator making off with a whopping $1.53 million. As per an analysis of on-chain data, Peckshield stated the perpetrator transferred the dirty profits from Arbitrum to Ethereum.
Our analysis shows that the @Rodeo_Finance hack (w/ ~$1.53M loss) is a so-called "ForceInvestment" hack: the Investor.earn() routine has a flaw that can be forced to swap $USDC -> $WETH -> $unshETH, but the slippage control cannot take effect as expected due to the flawed… pic.twitter.com/2j0bmQRe2r
— PeckShield Inc. (@peckshield) July 11, 2023
Rodeo Finance Falls Victim to Another DeFi Hack
Furthermore, the attacker then exchanged the stolen tokens for various other assets before converting them back to ETH. The final stage of the exploit saw the Ethereum (ETH) being routed through Tornado Cash, the infamous sanctioned cryptocurrency mixer on the Ethereum network, effectively concealing the trail of funds. Peckshield tweeted,
“Here comes the flow of stolen funds. The exploiter has bridged the stolen funds (~810.1 ETH) from Arbitrum to Ethereum, swapped 285 ETH for unshETH and deposited them to Ankr: ETH2 Staking, and transferred 150 ETH to Tornado Cash.”
This comes hot on the heels after Arcadia Finance a DeFi platform, suffered an exploit on July 10, resulting in the loss of approximately $455,000 across the Ethereum and Optimism networks. As per Peckshield, another decentralized firm, Libertify, an AI-based automated investment platform had also endured an attack that drained $452K on Polygon and Ethereum.
Our analysis shows that the @Libertify_ hack (w/ ~452K loss) is possible due to the lack of reentrancy protection, which allows the hacker to mint more shares via re-entering deposit() routine. https://t.co/11Utp3idhN pic.twitter.com/h9rDfr3g7b
— PeckShield Inc. (@peckshield) July 11, 2023
DeFi Attacks Dent Investor Confidence
Such exploits have been plaguing the Arbitrum network for quite some time now. In April, Sentiment, another DeFi protocol running on Arbitrum, lost $1 million to a hacker. This was followed by an even larger security breach in May, where the Jimbos protocol lost a colossal amount of nearly $7.5 million.
In the past couple of years, the DeFi ecosystem has continued to succumb to increasing crypto attacks, serving as the biggest targets in the cryptocurrency industry. Fraudsters have increasingly targeted DeFi platforms, using more sophisticated tools to carry out these exploits.
Flash loans, exit scams, cross-bridge exploits, reentrancy attacks, and rug pulls among numerous others are some of the most common methods of attack in the DeFi space. Commenting on the rising sophistication among bad actors, Dmitry Mishunin, CEO at crypto auditing firm HashEx, said,
“Hackers have gotten smarter, gained more experience, and learned how to look for bugs. The crypto industry is still relatively new, and everyone is growing with each other, so it’s difficult to get too far ahead of bad actors.”
Such attacks continue to dent investor confidence in the digital assets industry which is already going through a whirlwind phase coupled with macroeconomic uncertainty and the barrage of attacks from regulators all around the world, Recently, data from Naoris Protocol, a global cyber security firm, revealed there was a rise in the number of reported cyber security hacks on Web3 and DeFi in Q1 2023 compared to the same period in 2022 and 2021.