$1.5 million stolen from DeFi protocol Rodeo Finance

The hacker withdrew 810.1 ETH (~$1.5 million at the time of writing) from the Rodeo Finance DeFi protocol on the Arbitrum network through oracle manipulation.

According to PeckShield analysis, after the attack, the attacker sent stolen assets to the Ethereum network, and then exchanged them for unshETH in order to transfer funds to the Ankr staking service. Subsequently, he laundered the cryptocurrency through the Tornado Cash mixer.

Representatives of Rodeo Finance have not yet officially responded to the incident.

Igor Igamberdiev, head of research at Wintermute, said The Blockthat the attack was “manipulation of the oracle TWAP“.

According to him, the hacker artificially distorted the average price of an asset in order to gain an undue advantage during transactions. A similar exploit allowed for a flash credit attack, he said.

Igamberdiev specified that the attacker probably borrowed a huge amount, devalued the asset using an exploit, and then purchased even more coins at an artificially low price.

PeckShield experts added that a serious error was in the chain of exchanging USDC for wrapped ETH and then for unshETH. Anticipated slippage control, designed to prevent excessive price deviation, did not work properly due to a malfunction in the latter’s price oracle, the analysts explained.

In July, the Arcadia Finance DeFi protocol was hacked for $455,000. According to PeckShield, the code allegedly lacked a mechanism for cross-analysis of unconfirmed inputs.

Earlier, Beosin experts reported that in the first half of 2023, the digital asset sector lost about $655.6 million as a result of hacker attacks, fraud and rug pull.

Stay in touch! Subscribe to bitcoinlinux.com at Telegram.