Arcadia Finance hacker used reentrancy exploit, team demands return of funds

cointelegraph.com:

The Arcadia Finance attacker used a reentrancy exploit to drain $455,000 from the decentralized finance (DeFi) protocol, according to a July 10 post-mortem report issued by the app’s development team. A “reentrancy exploit” is a bug that allows an attacker to “re-enter” a contract or interrupt it during a multi-step process, preventing the process from being completed correctly.

The team has sent a message to the attacker demanding the return of funds within 24 hours and threatening police action if they fail to comply.

Post Mortem of ongoing situation, providing a technical overview and sharing more information on next steps.https://t.co/NPNbbSzKBQ

Arcadia Finance was exploited on the morning of July 10 and drained of $455,000 worth of crypto. A preliminary report from blockchain security firm Peckshield stated that the attacker had used a “lack of untrusted input validation” in the app’s contracts to drain the funds. The Arcadia team had denied this, stating that Peckshield’s analysis was mistaken. However, the team did not explain what they thought the cause was at the time.

The new Arcadia report stated that the app’s "liquidateVault()" function did not contain a reentrancy check. This allowed the attacker to call the function before a health check had been completed but after the attacker had withdrawn funds. As a result, the attacker could borrow funds and not pay them back, draining them from the protocol.

The team has now paused the contracts and is working on a patch to close the loophole.

The attacker first took a flash loan from Aave for $20,672 worth of US Dollar Coin (USDC) and deposited it into an Arcadia vault. Next, they used this vault collateral to borrow $103,210 USDC from an Arcadia liquidity pool. This was