In brief ⚡
😮 Arcadia Finance Exploited: Significant Losses Reported in Latest Attack
🔒 Multichain Hit Again: Additional $126 Million Drained Shortly After Previous Theft
😱 Rodeo Finance Faces Second Exploit Within a Week
😲 Libertify Hacked: Major Security Breach Causes Losses
😮 Platypus Finance Suffers Second Hack in Quick Succession
Hacks and Scams⚠️
Arcadia Finance
Amount of Loss: ~ $455k
Analysis
A hacker stole approximately $455,000 from Arcadia Finance, a DeFi protocol.
The absence of a validation mechanism allowed fake inputs to go unchecked, leading to the exploit.
Additionally, the protocol lacked reentrancy protection, enabling the instant liquidation to bypass internal vault health checks, further facilitating the attack.
Most of the stolen funds, around 180 Ether (valued at $1,861), originated from Optimism and were obtained through Tornado Cash.
The hacked wallet address still contained stolen tokens valued at over $103,000 (at the time of writing) on the Ethereum network.
Multichain
Amount of Loss ~ $126 Million
Analysis
Multichain, previously known as Anyswap, is a cross-chain protocol facilitating cryptocurrency exchanges across different blockchains.
The protocol has been locked since May due to a technical issue, preventing users from making transactions.
Recent security breaches resulted in over $125 million being lost in abnormal transfers, followed by an additional $103 million moved to various blockchain addresses.
The exploit in Multichain was attributed to compromised project administrator keys, leading to suspicions of an inside job or rug pull, further supported by the CEO's disappearance.
Rodeo Finance
Amount of Loss ~ $1.53 Million
Analysis
On July 11, Rodeo Finance, an Arbitrum-based DeFi protocol, experienced an exploit resulting in a loss of $1.53 million and over 810 Ether (ETH).
The exploit leveraged a code vulnerability in Rodeo Finance's Oracle, allowing the exploiter to manipulate time-weighted average prices and take advantage of price discrepancies during transactions.
The attacker bridged the stolen funds from Arbitrum to Ethereum, converting 285 ETH to unshETH, and deposited the ETH on Eth2 staking to further obscure their tracks.
To further hide their activity, the exploiter used the popular mixer service, Tornado Cash, to route the stolen ETH.
The exploiter's wallet still holds over 374 ETH, and Etherscan has identified the address as linked to the Rodeo exploit. The attack significantly impacted the protocol's native token, causing a 53% price drop in the past 24 hours, and the total value locked (TVL) in the DeFi protocol fell from $20 million to less than $500 following the exploit.
Libertify Vault
Amount of Loss ~ $ 452k
Analysis
On July 11, 2023, Libertify suffered an exploit on both the Ethereum and Polygon chains, resulting in a total loss of approximately $452,000.
The exploit was caused by a lack of reentrancy protection in the deposit function of the LibertiVault contract, allowing the attacker to repeatedly mint more shares and take away additional rewards.
The attacker used a flash loan of 10 million USDT for the Polygon chain attack, manipulating the deposit function to mint tokens based on the contract's balance before the deposit, leading to the exploit.
The total loss was approximately $162,000 on Ethereum and $288,000 on Polygon. Some of the stolen funds were bridged to Ethereum, with approximately 123.8 ETH worth $394,099 held in the address at the time of reporting.
Libertify confirmed the incident and mentioned that the hack occurred on a test vault with mostly employee funds, with only $230 worth of user funds affected. They plan to initiate the law enforcement process if the funds are not returned by a specified time.
Platypus Finance
Amount of Loss
Analysis ~ $50k
Platypus Finance halted their pools due to detecting "suspicious activities" after being alerted by security firms.
This marks the second hack on Platypus Finance, with the previous attack occurring only ten days after its launch in February 2023 and also involving flash loans.
The recent exploit involved an arbitrage opportunity where users could deposit USDC and withdraw more USDT due to a price difference between the two pools not being considered during the token exchange via CoverageRatio.
Approximately 50,000 $USDC were arbitrated using this method, leading to the pause of the pools to address the issue and prevent further losses.
Explore the Depths of Knowledge: Research Papers & Blogs🔖
A Case for the Defense
The article discusses the importance of robust security in the web3 ecosystem. It suggests various defense strategies including forensics, negotiation, circuit breakers, white-hat MEV, insurance, bug bounties, audits, testing, development practices, and simple architecture. The piece emphasizes a multi-layered defense approach and the humility of development teams in acknowledging potential vulnerabilities.
Decoding Rodeo Finance Hack
On the 11th of July 2023, the Rodeo Finance on the Arbitrumchain was attacked. The attack was made possible by a Price Oracle Manipulation vulnerability. And around 472ETH was stolen by the hackers from the exploit.
Web3 Community Spotlight🔦
QuillCtf - Metatoken Madness
There is a new metatoken in the market. Alice and Bob have already bought it. Don't miss out on it.
Thanks for reading HashingBits! Share a summary of our newsletter on your social media platforms, tag us, and use the #AwareToEarn hashtag, and you could win 10 USDT as a reward! Help us build a safer Web3 ecosystem and have a chance to earn rewards and support our work.