Rodeo Finance, an Arbitrum-based DeFi system, has suffered another big hack, losing $1.53 million because of a code vulnerability in its Oracle.
Rodeo Finance, a DeFi protocol running on the Arbitrum blockchain, experienced its second large exploit on July 11, leading to a loss of 472 ETH, or about $888,000 million. A coding flaw in Rodeo’s Oracle made it possible for the hack to be carried out.
According to information provided by blockchain analytics company PeckShield, the exploiter transferred the stolen money from Arbitrum to Ethereum before exchanging 285 ETH for unshETH. After the switch, the exploiter sent 150 ETH to Tornado Cash, a mixer service that is widely used to hide the transaction trail, before depositing ETH into Eth2 staking.
Later, PeckShield verified the value was 472 ETH, or $888,000, confirming a recalculation:
#PeckShieldAlert @Rodeo_Finance is exploited for ~810.1 $ETH (~$1.53M)
The exploiter has bridged the stolen funds from #Arbitrum to #Ethereum, and swapped 285 $ETH for $unshETH and deposited them to Ankr: ETH2 Staking, and transferred 150 $ETH to Tornado Cash… https://t.co/nkEZ1pkfWI pic.twitter.com/r1zZRzA2BQ— PeckShieldAlert (@PeckShieldAlert) July 11, 2023
Using a strategy called time-weighted average price (TWAP) oracle manipulation, the exploit was carried out. TWAP oracle manipulation is a mechanism used by DeFi protocols to average out the price of an asset over a specified period, thereby lowering the risk of market volatility. This method, however, has been observed as a potential vulnerability.
In order to purchase the identical asset at a substantially lower price, the exploiter first borrowed a sizeable portion of it. Then, they used price manipulation to drive the price down. In doing so, the exploiter was able to repay the loan and profit from the lower cost they had managed to create through their fraudulent activity.
The total value locked (TVL), which had previously been $20 million, has dropped to less than $500 as a result of this most recent breach, which has severely damaged Rodeo Finance.
The wallet address linked to the attack is still in possession of more than 370 ETH and has been identified by Etherscan as being related to the Rodeo exploit.
HypernativeLabs on Twitter identified a similar attack on Rodeo Finance last week on July 5, losing roughly $50,000:
Our platform detected a hack against @rodeo_finance on Arbitrum. The attack spanned multiple transactions of the course of ~1 hour. We counted ~50K USD in losses.
attack contract: https://t.co/TvQKEldQeX
sample txs:https://t.co/jiCtGt2EzWhttps://t.co/IGQYKVdZke— HypernativeLabs (@HypernativeLabs) July 5, 2023