In yet another blow to the decentralized finance (DeFi) sector, Arbitrum based protocol Rodeo Finance has fallen victim to attack, resulting in the loss of approximately 810 Ethereum (ETH), equivalent to $1.5 million. The incident highlights the ongoing security challenges faced by the burgeoning DeFi ecosystem.
Blockchain security firm PeckShield, at the forefront of detecting such exploits, was quick to identify the attack today. PeckShield flagged the vulnerability in Rodeo Finance. Via Twitter, the PeckShield Alert account alerted the project, stating, “Hi, Rodeo Finance, you may want to take a look at this Arbitrum transaction hash.”
One hour later, the blockchain security firm revealed that Rodeo Finance had suffered a significant breach, resulting in the exploitation of approximately 810.1 ETH, equivalent to $1.53 million. The attacker successfully transferred the stolen funds from the Arbitrum network to Ethereum and converted a portion into alternative assets, including the Uniswap-backed unshETH.
The firm conducted a thorough analysis of the on-chain data surrounding the incident. According to their findings, the attacker used a so-called ‘ForceInvestment’ hack: “the Investor.earn() routine has a flaw that can be forced to swap $USDC -> $WETH -> $unshETH, but the slippage control cannot take effect as expected due to the flawed $unshETH price oracle.”
Remarkably, the exploiter swiftly moved the illicitly obtained funds from Arbitrum to Ethereum. The stolen tokens were then exchanged for various other assets before being converted back into ETH. The final step involved routing the ETH through the popular transaction mixer Tornado Cash, effectively obscuring the origins of the funds. PeckShield writes via Twitter:
The exploiter has bridged the stolen funds from #Arbitrum to #Ethereum, and swapped 285 $ETH for $unshETH and deposited them to Ankr: ETH2 Staking, and transferred 150 $ETH to Tornado Cash.
As of now, the Rodeo Finance team has not issued any official response or statement regarding the incident. However, it is expected that they will undertake a thorough investigation to identify the security flaws that led to the exploit.
Arbitrum Based DeFi Takes Another Blow
The breach suffered by Rodeo Finance is not an isolated incident but rather part of an alarming trend that has plagued the Arbitrum ecosystem in recent months. Earlier in April, Sentiment, another DeFi protocol operating on Arbitrum, lost $1 million to hackers.
This was followed by an even more substantial security breach in May when the Jimbos protocol was stripped of a staggering $7.5 million. The recurring nature of these attacks underscores the urgent need for heightened security measures and continuous improvement within the DeFi space.
At press time, the Rodeo Finance (RDO) token has fallen by 52%. The Arbitrum (ARB) seems unfazed by the news as the price is showing a slight gain of 1.1% within the last 24 hours. At press time, ARB traded at $1.12.