Rodeo Finance, an Arbitrum-based decentralized finance (DeFi) protocol, recently experienced a significant security breach resulting in the loss of approximately $1.5 million worth of ether. The exploit involved an oracle manipulation attack, a method frequently employed by hackers to exploit vulnerabilities in DeFi platforms. This incident adds to a growing list of security breaches within the Arbitrum ecosystem, highlighting the urgent need for enhanced security measures.
Oracle Manipulation Attack Leads to $1.5 Million Loss
Rodeo Finance, operating on the Arbitrum network, fell victim to a sophisticated oracle manipulation attack on Tuesday. The attacker successfully made off with around 810 ether, equivalent to $1.5 million. The incident was initially detected by blockchain security firm PeckShield, which conducted further analysis to determine the attacker’s actions and trace the flow of stolen funds.
The attack transaction hash can be found here.
Exploiter Utilizes Complex Conversion Process to Cover Tracks
PeckShield’s analysis revealed that the attacker transferred the stolen funds from the Arbitrum network to Ethereum. Subsequently, they exchanged the stolen tokens for various other assets before ultimately converting them back to ether. To obscure the trail of funds, the attacker routed the ether through Tornado Cash, a well-known transaction mixer on the Ethereum network.
Based on PeckShield’s analysis, the recent hack at Rodeo Finance resulting in a loss of approximately $1.53 million is identified as a “ForceInvestment” exploit. The flaw lies within the Investor.earn() function, which can be manipulated to perform an undesired swap of $USDC to $WETH and then to $unshETH. However, the flawed $unshETH price oracle prevents the expected slippage control from taking effect.
This incident involved a re-entrancy attack where the attacker exploited the ‘deposit()’ function to repeatedly enter it during an external call. By doing so, they were able to manipulate the totalSupply and acquire a significant portion of funds, taking advantage of the delayed update of the net asset value (NAV).
As of now, the Rodeo Finance team has not issued a response or statement regarding the security breach. It remains crucial for the platform to communicate with its users and the wider community, providing transparency about the incident and outlining any steps being taken to address the vulnerabilities.
Persistent Trend of Exploits in the Arbitrum Ecosystem
This recent exploit targeting Rodeo Finance is not an isolated incident within the Arbitrum ecosystem. Over the past few months, multiple DeFi protocols operating on Arbitrum have suffered security breaches. In April, Sentiment lost $1 million to a hacker, followed by a more substantial breach in May, where Jimbos protocol was stripped of $7.5 million. These incidents underscore the pressing need for heightened security measures and robust auditing processes within the DeFi space.
The security breach affecting Rodeo Finance on the Arbitrum network has resulted in the loss of $1.5 million worth of ether. The attacker employed an oracle manipulation attack to exploit vulnerabilities within the platform. Similar incidents have plagued the Arbitrum ecosystem, necessitating improved security measures and stricter auditing practices. It is essential for the Rodeo Finance team to promptly address the incident, communicate with their users, and take appropriate steps to enhance the platform’s security moving forward.