Arcadia Finance, a noncustodial protocol supporting on-chain cross-margin accounts, fell victim to a cyber attack that resulted in the loss of approximately $455,000. However, the hacker exploited a code vulnerability, exposing a weakness in the platform’s validation mechanism. The vulnerability allowed unverified inputs to go unchecked, enabling the hacker to drain funds from Arcadia Finance’s Ethereum (darcWETH) and Optimism (darcUSDC) vaults.
Code vulnerability leads to significant losses
The breach was first discovered by PeckShield, a prominent cybersecurity firm known for its expertise in the blockchain domain. PeckShield promptly alerted Arcadia Finance about the hack, emphasizing the lack of untrusted input validation as the primary cause of the exploit. Following PeckShield’s intimation,
The perpetrator demonstrated a swift response by successfully transferring an estimated 179.3 ETH from the Optimism[OP] network. This sum was attained by utilizing a combination of 148 ETH, which had been bridged from the Ethereum network, and approximately 59,000 USDC that was swapped.
The stolen funds were laundered through Tornado Cash, a decentralized privacy solution for cryptocurrencies. However, the stolen tokens on the Ethereum network, valued at over $103,000 at the time of writing, remain parked in the suspected wallet address, awaiting further investigation.
Arcadia Finance acknowledged the breach and swiftly halted its contracts to prevent further loss of funds.
PeckShield also disclosed an additional vulnerability within Arcadia Finance’s code. This vulnerability, known as a lack of reentrancy protection, poses a severe risk to the protocol’s internal vault health check. If exploited, this vulnerability could have severe consequences for the platform.
The incident adds to the growing list of cyber attacks and exploits that have plagued the cryptocurrency space during the second quarter of 2023. A recent report by CertiK, a leading blockchain security company, revealed that a total of 212 security incidents occurred during the quarter, resulting in a staggering loss of $313,566,528 from Web3 protocols.
Defi Llama’s data reveals that Arcadia Finance’s TVL has taken a significant hit in the past few days due to the prevailing uncertainty surrounding the company.
Impact on Optimism network and future growth
The exploitation of Arcadia Finance affected the protocol and had implications for the broader Optimism network. Token Terminal’s data indicates that although the number of daily active users on Optimism experienced a robust growth rate of 3.9% over the past week, the platform’s revenue witnessed a significant decline. In just the last seven days, the revenue generated by Optimism plummeted by 52.6%.
This decline in revenue raises concerns about the long-term growth prospects of the Optimism network. Moreover, the OP token, which is closely associated with Optimism, has experienced a substantial decline in price over the past month. Additionally, the velocity of OP token trading has diminished, indicating a decrease in trading activity. It is important to note that the OP token was trading at $1.18 at the time of writing.
