On the 11th of July 2023, the Rodeo Finance on the Arbitrumchain was attacked. The attack was made possible by a Price Oracle Manipulation vulnerability. And around 472ETH was stolen by the hackers from the exploit.
Rodeo is a DeFi protocol that allows users to earn a yield on a diverse range of managed and passive investment strategies. To learn more about them, check out their documentation.
Attacker Address: 0x2f3788F2396127061c46fC07BD0fcb91faAcE328
Victim Contract: 0xE9544Ee39821F72c4fc87A5588522230e340aa54
Attack Transactions:
0x98f1e234faac8b7f7ceaffe4e8e0581038678d95710b646db45ec3de47e6c3af
The exploiter has bridged the stolen funds from Arbitrum to Ethereum, swapped 285 ETH for unshETH and deposited them to Ankr: ETH2 Staking, and transferred 150 ETH to Tornado Cash.
Complete resolution image here.
Here is a snippet of the attacker’s wallet. Check the complete details here.
The Project acknowledged the hack via Twitter.
11-07-2023 (07:45:25 AM + UTC) – A suspicious activity was spotted on Rodeo Finance Contracts.
11-07-2023 (07:59:35 AM +UTC) – Exploiter swapped 285 unshETH .
11-07-2023 (08:13:59 AM +UTC) – Exploiter deposited 150 Ether to Tornado.Cash with a transaction fee of 0.015 Ether
The price of the RDO token dropped from $0.2 to $0.08 immediately following the attack. It is currently trading at $0.1 as of the time of writing this blog. See here.
The Exploit could have been prevented if Price Oracle had been correctly implemented.
Oracle should not rely on the ratio of both tokens to calculate the final price.
Also, multiple oracles should be used for price queries.
The best way to enhance platforms security is by using the service of a robust decentralized oracle such as Chainlink or by aggregating many different price feeds.
Get Pure Alpha Straight to Your Inbox. Miss this, and you’re missing out.
Insider Secrets - Delivered Right to You. Subscribe now.