Arcadia Finance has joined the growing list of DeFi protocols to lose funds in hack exploitation. The hackers leveraged a code vulnerability to siphon about $455,000 from the protocol’s Ethereum and Optimism vaults.
Blockchain sleuth PeckShield alerted about Arcadia’s exploitation in a July 9 tweet. In the tweet, PeckShield also highlighted the cause of the attack.
The tweet revealed that the attackers capitalized on "the lack of untrusted input validation" to carry out the illicit transaction. PeckShield noted that Arcadia Finance's contract code lacked a validation mechanism to cross-check unverified inputs.
The loophole allowed the hacker to withdraw approximately $445,000 in crypto assets from the protocol's Ethereum (darcWETH) and Optimism (darcUSDC) vaults.
Arcadia Finance has confirmed the hack attack, but lonely two hours after PeckShield’s update. The protocol noted that it paused the contracts to prevent further fund drainage.
The team disclosed that it is working with security experts to investigate the root-cause of the incident and will share more information as soon as it comes.
While investigations into the root cause of the attack continue, PeckShield made another striking revelation. The blockchain security firm said it found another vulnerability in Arcadia's code, which hackers could explore to steal more funds.
"In addition, there is a lack of reentrancy protection, which allows the instant liquidation to bypass the internal vault health check," PeckShield said.
Most of the stolen funds, about 180 ETH, came from the Optimism vault. And according to PeckShield’s data, the hackers have already laundered the funds via Tornado Cash.
But the stolen Ethereum, worth more than $103,000 at press time, is still in the
Read more on cryptonews.com