November 23, 2024

Arbitrum-based Rodeo Finance exploited for second time, $1.5M stolen

The exploiter manipulated price oracles to gain the upper hand on trades executed using the manipulated price.

Arbitrum-based decentralized finance (DeFi) protocol Rodeo Finance was exploited for $1.53 million on July 11. The DeFi protocol was exploited using a code vulnerability in its Oracle, leading to a loss of over 810 Ether (ETH).

According to data shared by blockchain analytic firm PeckShield, the exploiter later bridged the stolen funds from Arbitrum to Ethereum and swapped 285 ETH for unshETH. The exploiter then deposited the ETH on Eth2 staking. Finally, the exploiter routed the stolen ETH using the popular mixer service Tornado Cash, which exploiters often use as an exit route to obscure the transaction’s footprint.

Movement of funds from Rodeo exploiter. Source: PeckShield

The exploiter used time-weighted average price oracle manipulation, which is used by DeFi protocols to calculate the average price of an asset for a specific time frame and mitigate price fluctuation due to market volatility.

However, it offers a vulnerability for exploiters to manipulate these oracles by artificially skewing the calculated average price of an asset. This allows them to gain the upper hand and exploit the protocol during a transaction.

An exploiter first borrows a large sum of an asset and then artificially manipulates the price to buy the same asset at a deflated price. Later the exploiter returns the loan and makes a profit based on the low price managed by manipulations.

Related: Crypto scams are going to ramp up with the rise of AI

The exploiter wallet address still holds over 374 ETH and Etherscan has marked the address as linked to the Rodeo exploit, The DeFi protocol had $20 million in total value locked (TVL) which has fallen below $500 after the exploit. 

Rodeo Finance TVL post exploit. Source: DefiLlama

The exploit also tumbled the price of the native token of the DeFi protocol, which dropped by over 53% in the past 24 hours.

DRDO token price tumble post exploit. Source: Coingecko

In 2023 alone, there have been 21 recorded incidents of some form of exploit on the Arbitrum Network, with a combined loss of over $20 million. The latest exploit of $1.53 million makes it the fifth largest recorded on Aribitrum in 2023. Rodeo Finance was also exploited on July 5 for around $89,000 due to a vulnerability in their mintProtocolReserves function.

Magazine: Should you ‘orange pill’ children? The case for Bitcoin kids books

Please enter CoinGecko Free Api Key to get this plugin works.