ArcadiaFi exploit on both the Ethereum and Optimism networks resulted in a staggering loss of $455,000. The exploit was facilitated through the manipulation of conversations and took advantage of vulnerabilities in the system. The attack highlights the importance of thorough parameter checks and the need for enhanced security measures within decentralized finance (DeFi) protocols.
ArcadiaFi Responded ” We have initiated contact with the attacker.
https://optimistic.etherscan.io/tx/0xc598bf554a738ebeec234930e4bffe1c7a4266a1bbbdfae63b6951e448a17fc5 https://etherscan.io/tx/0x01e2683bfdb945fcb6af7ed6a656dbabb04d7c8135125184fd29f5665fd0546c
We will continue to work with our security partners, law enforcement, and the broader community to resolve this as best we can. Our number one priority is recovering funds for Arcadia protocol users.”
The Exploit and Its Root Cause:
The primary reason behind the successful attack was the lack of parameter checks on the attacker’s input. This flaw allowed the hacker to approve leveraged funds to a malicious contract, ultimately leading to the significant loss. Three main factors contributed to the exploit: leverage, controllable action data, and reentrancy.
Attack Flow:
The attacker initiated the exploit by executing a flashloan of 2.4 WETH and 20,672 USDC. These funds were then deposited into the ArcadiaFi protocol, a popular DeFi platform. The attacker proceeded to call the “doActionWithLeverage” function, which expanded the funds by a factor of five. Subsequently, the attacker deposited the multiplied funds into the ActionMultiCall contract (0x2de7bbaaab48eac228449584f94636bb20d63e65).
One crucial aspect of the attack was the utilization of malicious action data. Since the actionData parameter lacked proper validations, the attacker was able to approve WETH and USDC tokens to the malicious contract with the permission of the ActionMultiCall contract. This approval granted the attacker control over the funds. By exploiting the vulnerability, the attacker then called the “transferFrom()” function to transfer the approved funds.
To bypass the system’s fund check, which occurs after the transfer, the attacker had to re-enter the leveraged contract and perform liquidation. This clever maneuver allowed the attacker to evade detection and successfully execute the exploit.
Implications for the DeFi Ecosystem:
The recent exploit sheds light on the importance of robust security practices within the DeFi ecosystem. As decentralized finance continues to gain popularity, it becomes imperative for developers and auditors to thoroughly assess and validate the code of smart contracts. Implementing stringent parameter checks and ensuring that user inputs undergo rigorous validations are vital steps in preventing such vulnerabilities.