Arcadia Finance hacker used reentrancy exploit, team demands return of funds
In a post-mortem report, Arcadia Finance developers said an attacker stole funds by liquidating a vault before cannot perform a health check, interrupting the application's normal flow of operations.
News
Join us on social networks
The Arcadia Finance attacker used a reentrancy exploit to drain $455,000 from the Decentralized Finance (DeFi) protocol, according to a July 10 post-mortem report released by the app's development team . A "reentrancy exploit" is a bug that allows an attacker to "re-enter" a contract or break it during a multi-step process, preventing the process from successfully completing.
The team sent a message to the attacker demanding return of funds within 24 hours and threatening police action if the attacker does not comply.
Post Mortem of the current situation, providing technical insight and sharing more information on next steps.https://t.co/NPNbbSzKBQ
— Arcadia Finance (@ArcadiaFi) July 10, 2023Arcadia Finance was mined on the morning of July 10 and drained $455,000 worth of crypto. A preliminary report from blockchain security firm PeckShield said the attacker used a "lack of untrusted input validation" in the app's contracts to drain funds. The Arcadia team had denied this, saying PeckShield's analysis was flawed. However, the team did not explain what they believed to be the cause at the time.
The new Arcadia report indicates that the application's "liquidateVault()" function does not contain a reentrancy check. This allowed the attacker to call the function before a health check was completed, but after the attacker had withdrawn funds. As a result, the attacker could borrow funds and not pay them back, draining them from the protocol.
The team has now suspended contracts and is working on a fix to close the loophole.
The attacker first took a fl...
In a post-mortem report, Arcadia Finance developers said an attacker stole funds by liquidating a vault before cannot perform a health check, interrupting the application's normal flow of operations.
News
Join us on social networks
The Arcadia Finance attacker used a reentrancy exploit to drain $455,000 from the Decentralized Finance (DeFi) protocol, according to a July 10 post-mortem report released by the app's development team . A "reentrancy exploit" is a bug that allows an attacker to "re-enter" a contract or break it during a multi-step process, preventing the process from successfully completing.
The team sent a message to the attacker demanding return of funds within 24 hours and threatening police action if the attacker does not comply.
Post Mortem of the current situation, providing technical insight and sharing more information on next steps.https://t.co/NPNbbSzKBQ
— Arcadia Finance (@ArcadiaFi) July 10, 2023Arcadia Finance was mined on the morning of July 10 and drained $455,000 worth of crypto. A preliminary report from blockchain security firm PeckShield said the attacker used a "lack of untrusted input validation" in the app's contracts to drain funds. The Arcadia team had denied this, saying PeckShield's analysis was flawed. However, the team did not explain what they believed to be the cause at the time.
The new Arcadia report indicates that the application's "liquidateVault()" function does not contain a reentrancy check. This allowed the attacker to call the function before a health check was completed, but after the attacker had withdrawn funds. As a result, the attacker could borrow funds and not pay them back, draining them from the protocol.
The team has now suspended contracts and is working on a fix to close the loophole.
The attacker first took a fl...
What's Your Reaction?
![Three of ID's top PR executives quit ad firm Powerhouse [EXCLUSIVE]](https://variety.com/wp-content/uploads/2023/02/ID-PR-Logo.jpg?#){kind=logo}
