Arbitrum-based decentralized finance (DeFi) protocol Rodeo Finance was mined for $1.53 million on July 11. The DeFi protocol was exploited using a code vulnerability in its Oracle, resulting in the loss of over 810 Ether (ETH).
According to data shared by blockchain analytics firm PeckShield, the exploit then transferred the stolen funds from Arbitrum to Ethereum and exchanged 285 ETH for unshETH. The miner then deposited the ETH on the Eth2 staking. Finally, the exploiter routed the stolen ETH using the popular Tornado Cash mixing service, which exploiters often use as an exit route to hide the transaction’s fingerprint.
The exploiter used the oracle time-weighted average price manipulation, which is used by DeFi protocols to calculate the average price of an asset for a specific time period and smooth out price fluctuations due to market volatility.
However, it provides vulnerability for exploiters to manipulate these oracles by artificially distorting the calculated average price of an asset. This allows them to gain the upper hand and exploit the protocol during a transaction.
An exploiter first borrows a large sum of an asset and then artificially manipulates the price to buy the same asset at a deflated price. Later, the exploiter repays the loan and makes a profit based on the low price managed by manipulations.
Related: Crypto scams will escalate with the rise of AI
The exploiter’s wallet address still contains more than 374 ETH, and Etherscan has brand the address linked to the Rodeo exploit. The DeFi protocol had $20 million in total value locked (TVL), falling below $500 after the exploit.
The exploit also caused the price of the native token of the DeFi protocol to plummet, dropping more than 53% in the past 24 hours.
In 2023 alone, there have been 21 recorded incidents of some form of exploit on the Arbitrum network, with a combined loss of over $20 million. The latest $1.53 million exploit makes it the fifth largest recorded on Aribitrum in 2023. Rodeo Finance was also exploited on July 5 for approximately $89,000 due to a vulnerability in their mintProtocolReserves function.
Collect this item as NFT to preserve this moment in history and show your support for independent journalism in the crypto space.
Magazine: Should children ‘orange pill’? The Case for Bitcoin Children’s Books
