Decentralized finance (DeFi) protocol Arcadia Finance was hacked using a code vulnerability that allowed the hacker to drain funds worth roughly $455,000 from its Ethereum and Optimism vaults.
PeckShield, a blockchain investigator, notified Arcadia Finance of a hack and identified the cause as “the lack of untrusted input validation.” Supposedly, the code lacked a mechanism to cross-check unverified inputs. This vulnerability allowed the intruder to steal approximately $455k from the Ethereum (darcWETH) and Optimism (darcUSDC) vaults.
The team stated, however, that the fundamental cause identified by PeckShield needs to be corrected.
Two hours after PeckShield’s notification, Arcadia Finance verified the hack and halted the contracts to prevent further loss of funds.
While investigations are ongoing, Arcadia’s code contains an additional vulnerability that, if exploited, could prove catastrophic for the protocol. As stated by PeckShield:
“In addition, there is a lack of reentrancy protection, which allows for the instant liquidation to bypass the internal vault health check.”
Most of the misappropriated funds, approximately 180 Ether, originated from Optimism and were cleansed with Tornado Cash. However, the misappropriated Ethereum tokens, valued at over $103,000 when writing, remain at the suspect wallet address.
In the second quarter of 2023, breaches and exploits in the crypto space caused a more than $300 million loss.
According to a blockchain security company CertiK report, 212 security incidents were recorded during the quarter, culminating in a loss of $313,566,528 from Web3 protocols.
Compared to Q2 data from the previous year, CertiK discovered that crypto breaches decreased by 58%. The BNB Smart Chain had the highest number of incidents, with 119 resulting in $70,711,385 in losses.
