Rodeo Finance, a leveraged yield protocol on Arbitrum, was on July 10 a victim of a “force-investment” hack in which almost $1.7 million was reportedly stolen. According to Rodeo Finance, about $810,000 has been recovered so far and there are plans to freeze the stolen funds.
Protocol in ‘Paused State’
Rodeo Finance, a leveraged yield farming product, recently became the latest decentralized finance (defi) protocol to fall victim to the so-called force-investment hack after criminals stole approximately $1.7 million on July 10. As a consequence, the defi protocol has been placed in paused state “until a remediation plan has been finalized and implemented alongside the advice of multiple security experts.”
Our analysis shows that the @Rodeo_Finance hack (w/ ~$1.53M loss) is a so-called "ForceInvestment" hack: the Investor.earn() routine has a flaw that can be forced to swap $USDC -> $WETH -> $unshETH, but the slippage control cannot take effect as expected due to the flawed… pic.twitter.com/2j0bmQRe2r
— PeckShield Inc. (@peckshield) July 11, 2023
In its July 11 statement, Rodeo Finance acknowledged the attack but claimed to have recovered $810,000. This, according to the protocol, means hackers took $830,000. Meanwhile, in the same statement, Rodeo Finance also explained how the cyber criminals were able to carry out the attack.
“The attack occurred because of one of our oracles meant to be twap for Camelot’s Uniswap v2 pools was sandwiched (a first on Arbitrum) just around it’s price update in order to inflate it’s price. This allowed the hacker to borrow from the lending pool and swap it all to said token, incurring heavy slippage but still going through because of the inflated oracle pricing,” Rodeo Finance said in a tweet.
To cash out their profits, the attacker is said to have “arbitraged” the decentralized exchange’s pool back to the normal price. Rodeo Finance said it was able to recover $810,000 from the yield farm used for the attack.
Concerning the yet-to-be-recovered funds, Rodeo Finance said it is attempting to track and freeze the assets. It added that working with security auditors “to finalize the plan of recovery” is the next planned step.
What are your thoughts on this story? Let us know what you think in the comments section below.