Rodeo Finance, a decentralized finance (DeFi) protocol based on Arbitrum, fell victim to an exploit that resulted in a loss of $1.53 million on July 11. The exploit took advantage of a code vulnerability in the protocol’s Oracle, leading to the theft of over 810 Ether (ETH). PeckShield, a blockchain analytics firm, shared data indicating that the attacker transferred the stolen funds from Arbitrum to Ethereum and exchanged 285 ETH for unshETH. Subsequently, the attacker deposited the ETH onto Eth2 staking. To obscure the transaction’s trace, the attacker utilized Tornado Cash, a popular mixer service often employed by exploiters as an exit route.
Exploiting Time-Weighted Average Price Oracle Manipulation
The exploit relied on manipulating time-weighted average price oracles, which DeFi protocols utilize to calculate the average price of an asset within a specific timeframe. This calculation helps mitigate price fluctuations caused by market volatility. However, the exploit exposed a vulnerability that allowed attackers to manipulate these oracles by artificially distorting the calculated average price of an asset. By doing so, attackers gain an advantage and can exploit the protocol during a transaction. The attacker’s strategy involved borrowing a significant amount of an asset and artificially manipulating its price to purchase the same asset at a deflated price. Once the manipulation was successful, the attacker repaid the loan and profited from the lower price achieved through their manipulations.
Significant Losses and Impact on Rodeo Finance
The wallet address associated with the attacker still holds approximately 374 ETH, with Etherscan marking it as linked to the Rodeo exploit. Prior to the exploit, Rodeo Finance had a total value locked (TVL) of $20 million, but this amount plummeted to under $500 following the attack. Additionally, the native token of the DeFi protocol experienced a substantial drop of over 53% in value within the past 24 hours.
Increase in Exploits on Arbitrum Network
The exploit on Rodeo Finance adds to a growing number of incidents on the Arbitrum Network in 2023. So far, there have been 21 recorded exploits, resulting in a combined loss exceeding $20 million. With a total of $1.53 million stolen, this exploit ranks as the fifth largest on Aribitrum in 2023. Notably, Rodeo Finance had also suffered a previous exploit on July 5, where approximately $89,000 was compromised due to a vulnerability in their mintProtocolReserves function.
Collect this article as an NFT to preserve this moment in history and show your support for independent journalism in the crypto space.