BTC-Newswire

Arcadia Finance hacker used reentrancy exploit, team demands return of funds

Press Releases Crypto News Cointelegraph Arcadia Finance hacker used reentrancy exploit, team demands return of funds

The Arcadia Finance attacker used a reentrancy exploit to drain $455,000 from the decentralized finance (DeFi) protocol, according to a July 10 post-mortem report issued by the app’s development team. A “reentrancy exploit” is a bug that allows an attacker to “reenter” a contract or interrupt it during a multi-step process, preventing the process from being completed correctly.

The team has sent a message to the attacker demanding the return of funds within 24 hours and threatening police action if the hacker fails to comply.

Post Mortem of ongoing situation, providing a technical overview and sharing more information on next steps.https://t.co/NPNbbSzKBQ

— Arcadia Finance (@ArcadiaFi) July 10, 2023

Arcadia Finance was exploited on the morning of July 10 and drained of $455,000 worth of crypto. A preliminary report from blockchain security firm PeckShield stated that the attacker had used a “lack of untrusted input validation” in the app’s contracts to drain the funds. The Arcadia team had denied this, stating that PeckShield’s analysis was mistaken. However, the team did not explain what it thought the cause was at the time.

The new Arcadia report stated that the app’s “liquidateVault()” function did not contain a reentrancy check. This allowed the attacker to call the function before a health check had been completed but after the attacker had withdrawn funds. As a result, the attacker could borrow funds and not pay them back, draining them from the protocol.

The team has now paused the contracts and is working on a patch to close the loophole.

The attacker first took a flash loan from Aave for $20,672 worth of USD Coin (USDC) and deposited it into an Arcadia vault. Next, the hacker used this vault collateral to borrow $103,210 USDC from an Arcadia liquidity pool. This was accomplished through a “doActionWithLeverage()” function that allows users to borrow funds only if their account can remain healthy by the end of the block. <

Go to Source to See Full Article
Author: Tom Blackstone

Did you like this?
Tip BTC Newswire with Cryptocurrency