Arbitrage-based decentralized finance (DeFi) protocol Rodeo Finance was mined for $1.53 million on July 11. The DeFi protocol was exploited using a code vulnerability in its Oracle that caused a loss of more than 810 Ether (ETH).
According to data shared by blockchain analytics group Peckshield, the exploiter then attached the stolen funds from Arbitrum to Ethereum and exchanged 285 ETH for $unshETH. The exploiter then deposited the ETH into the ETH2 staking. Ultimately, the exploiter routed the stolen ETH using the popular Tornado Cash scrambler service, which exploiters often use as an egress route, as these scramblers help hide the transaction footprint.
The exploiter made use of Orcale's manipulation of the Time Weighted Average Price (TWAP). DeFi protocols use TWAP Oracle to calculate the average price of an asset over a specified period of time to mitigate price fluctuation due to volatility in the crypto market.
However, it offers a vulnerability for exploiters to manipulate these oracles by artificially skewing the calculated average price of an asset. This allows them to gain advantage during a transaction and then exploit the protocol.
An exploiter first borrows a large sum of an asset and then artificially manipulates the price to buy the same asset at a deflated price. Subsequently, the exploiter repays the loan and obtains a profit based on the low price handled by manipulations.
Related: Crypto scams will increase with the rise of AI
The exploiter's wallet address still has more than 374 ETH and Etherscan has marked the address linked to the Rodeo exploit, the DeFi protocol had $20 million in total value locked (TVL) which has fallen below $500 after the exploit.
The exploit also caused the price of the DeFi protocol's native token to drop, which fell more than 53% in the last 24 hours.
In 2023 alone, there were 21 incidents of some type of exploit on the Arbitrum Network with a combined loss of more than $20 million. The latest $1.53 million exploit makes it the fifth largest recorded on Aribitrum in 2023. Rodeo Finance was also exploited on July 5, 2023 for ~$89,000 due to a vulnerability in its 'mintProtocolReserves' function.
Magazine: Should kids be on the 'orange pill'? The case of Bitcoin children's books
Post navigation
