TL;DR
- A malicious contract was injected into Arcadia Finance’s Rebalancer module, draining about $2.5 million in USDC and USDS within seconds by hijacking swap operations.
- The attacker exploited a flaw in Arcadia’s “swapData” parameters to force rogue token swaps, then converted the stolen funds to WETH on Base and bridged them to Ethereum.
- Security firm Cyvers traced the breach, recommended blacklisting implicated addresses, and Arcadia urged users to revoke permissions as they work with forensic experts to recover funds.
Arcadia Finance, a decentralized protocol on the Base blockchain, suffered a devastating attack that drained user vaults of approximately $2.5 million in USDC and USDS. The breach occurred when an unknown exploiter injected a malicious contract into Arcadia’s Rebalancer module at 04:05:58 UTC. Within seconds, swap operations meant to keep user holdings balanced were hijacked, triggering unauthorized transfers that emptied liquidity pools in a single swift stroke.
Anatomy of the SwapData Vulnerability
At the core of the exploit lay a flaw in Arcadia’s handling of “swapData” parameters. This mechanism instructs the protocol on how to execute token swaps during rebalancing events. By manipulating those parameters, the attacker forced the Rebalancer to execute rogue swaps, funneling stablecoins out of user vaults directly into the hacker’s address.
Once funds were under their control, the assets were converted to Wrapped Ethereum (WETH) on Base and bridged to Ethereum’s mainnet to obscure the money trail.
Quickfire Response from Arcadia and Cyvers
Blockchain security firm Cyvers was the first to publicly trace the exploit back to swapData abuse. In its alert, Cyvers urged immediate blacklisting of implicated addresses on both Base and Ethereum and recommended notifying major centralized exchanges and bridging services to freeze incoming transfers.
🚨ALERT🚨Today, our system has detected a multiple suspicious transaction involving @ArcadiaFi on #Base with loss of 2.5M.
The exploiter seems to use arbitrary "swapData" on their rebalancer contract to execute the exploit.
All the stolen funds swapped to $ETH and bridged from… pic.twitter.com/IWhB4KY7Vu
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) July 15, 2025
Arcadia’s team swiftly confirmed the breach via a post on X, instructing all users to revoke any permissions granted to asset managers. They pledged further updates as they work alongside forensic specialists to recover stolen funds.
The team is aware of unauthorized transactions via a Rebalancer.
Remove all permissions for asset managers.
More information will follow.— Arcadia Finance (@ArcadiaFi) July 15, 2025
Lessons for the DeFi Ecosystem
This incident underscores the fragility of custom swap logic in automated market operations. SwapData vulnerabilities, while powerful for optimizing rebalancing, can create epicenters of risk if not rigorously audited.
As DeFi matures, projects must prioritize modular security reviews, third-party audits, and on-chain monitoring tools to detect anomalous swap patterns in real-time. For one of Base’s rising protocols, the road to redemption now hinges on transparent remediation and tighter safeguards against parametric exploits.
