Arcadia Finance believes that the exploiter executed a reentrancy attack.
The team behind Arcadia Finance, a decentralized finance (DeFi) protocol, used the input data field on an Optimism transaction to issue a message to the malicious actor behind the $455,000 exploit.
In the messages shared on July 10th, Arcadia Finance urged hacker to return stolen funds. The team behind the DeFi protocol claimed that if hackers fail to do so in the next 24 hours, legal action against the exploiter will take place.
Did you know?
Want to get smarter & wealthier with crypto?
Subscribe - We publish new crypto explainer videos every week!
What is NEO in Crypto? Chinese Ethereum Explained (ANIMATED)
In particular, the Arcadia team stated that it is actively working with "security experts and law enforcement" to get to the bottom of the exploit.
We understand you are involved with Arcadia Finance's exploit. We’re actively working with security experts and law enforcement. Your TC deposits and withdrawals on BNB were a bit too fast, it’s hard to hide your identity online these days. We will escalate this with law enforcement in the absence of any funds being returned within the next 24 hours.
On top of that, Arcadia's report hinted at the possibility of tracing the hacker as it has unearthed some promising leads. The report said:
Besides obtaining addresses linked to centralized exchanges, we also uncovered links to previous exploits of other protocols. The team is investigating both on-chain and off-chain data to the fullest extent and has multiple leads.
On the same day, Arcadia Finance posted a post-mortem report revealing that the exploit used by the attacker to siphon off $455,000 was a reentrancy exploit.
A reentrancy exploit is essentially a bug that allows an attacker to disrupt a contract in the middle of its execution, causing the process to malfunction.
The financial assault on Arcadia Finance occurred on the morning of July 10th, leading to the loss of cryptocurrencies worth $455,000. A preliminary assessment by the blockchain security company, PeckShield, suggested that the assailant exploited a deficiency in the app's contracts that did not validate untrusted input, thereby draining the funds.
However, Arcadia Finance developers revealed that the app's "liquidateVault()" function, which lacked a reentrancy check, was exploited. The hacker managed to call this function before a system health check could be completed, but only after withdrawing funds. Consequently, the attacker obtained funds without the obligation to repay them, siphoning them from the protocol.
The malefactor initially obtained a flash loan of USD Coin (USDC) worth $20,672 from Aave and deposited it into an Arcadia vault. Using this collateral, the attacker borrowed $103,210 USDC from an Arcadia liquidity pool.
The attacker deposited the borrowed sum into the vault, raising the total funds to $123,882. Subsequently, the hacker withdrew all the funds, leaving the vault asset-less and with a debt of $103,210.
Under normal circumstances, this action should have caused all transactions to revert, as the withdrawal should have led to a health check failure. However, by invoking the liquidateVault() function with a malicious contract before the health check started, the hacker liquidated the vault, clearing all its debts and leaving it with no assets or liabilities, thereby passing the health check.
Once the account passed the health check post all transactions, none of them reverted, and the pool was drained of $103,210. The hacker repaid the Aave loan within the same block and repeated this maneuver several times, siphoning $455,000 from pools on Optimism and Ethereum.
