The Arcadia Finance attacker used a reentrancy exploit to drain $455,000 from the decentralized finance (DeFi) protocol, according to a July 10 post-mortem report issued by the app’s development team. A “reentrancy exploit” is a bug that allows an attacker to “re-enter” a contract or interrupt it during a multi-step process, preventing the process from being completed correctly.
The team has sent a message to the attacker demanding the return of funds within 24 hours and threatening police action if they fail to comply.
Post Mortem of ongoing situation, providing a technical overview and sharing more information on next steps.https://t.co/NPNbbSzKBQ
— Arcadia Finance (@ArcadiaFi) July 10, 2023
Arcadia Finance was exploited on the morning of July 10 and drained of $455,000 worth of crypto. A preliminary report from blockchain security firm Peckshield stated that the attacker had used a “lack of untrusted input validation” in the app’s contracts to drain the funds. The Arcadia team had denied this, stating that Peckshield’s analysis was mistaken. However, the team did not explain what they thought the cause was at the time.
The new Arcadia report stated that the app’s “liquidateVault()” function did not contain a reentrancy check. This allowed the attacker to call the function before a health check had been completed but after the attacker had withdrawn funds. As a result, the attacker could borrow funds and not pay them back, draining them from the protocol.
The team has now paused the contracts and is working on a patch to close the loophole.
The attacker first took a flash loan from Aave for $20,672 worth of US Dollar Coin (USDC) and deposited it into an Arcadia vault. Next, they used this vault collateral to borrow $103,210 USDC from an Arcadia liquidity pool. This was accomplished through a “doActionWithLeverage()” function that allows users to borrow funds only if their account can remain healthy by the end of the block.
The attacker deposited the $103,210 into the vault, bringing the total funds to $123,882. They then withdrew all funds, leaving the vault with no assets and $103,210 in debt.
Theoretically, this should have caused all actions to revert, as withdrawing the funds should have caused the account to fail a health check. However, the attacker used a malicious contract to call liquidateVault() before the health check could commence. The vault was liquidated, eliminating all of its debts. As a result, it was left with zero assets and zero liabilities, allowing it to pass the health check.
Since the account passed the health check after all transactions were concluded, none of the transactions reverted, and the pool was drained of $103,210. The attacker paid back the loan from Aave within the same block. They repeated this exploit multiple times, draining a total of $455,000 from pools on Optimism and Ethereum.
In its report, Arcadia’s team pushed back against claims that the exploit was caused by untrusted input, stating that this alleged vulnerability was not “the core issue” in the attack.
The Arcadia team posted a message to the attacker using the input data field of an Optimism transaction, stating:
“We understand you are involved with Arcadia Finance’s exploit. We’re actively working with security experts and law enforcement. Your TC deposits and withdrawals on BNB were a bit too fast, it’s hard to hide your identity online these days. We will escalate this with law enforcement in absence of any funds being returned within the next 24 hours.”
In its report, Arcadia claimed it had found some promising leads for tracking down the attacker. “Besides obtaining addresses linked to centralized exchanges, we also uncovered links to previous exploits of other protocols,” they said. “The team is investigating both on-chain and off-chain data to the fullest extent and has multiple leads.”
Exploits and scams have been a continuing problem in the DeFi space in 2023. A July 5 report from Certik stated that over $300 million was lost due to exploits in the second quarter of the year.