The hacker withdrew 810.1 ETH (~$1.5 million at the time of writing) from the Rodeo Finance DeFi protocol on the Arbitrum network through oracle manipulation.
According to PeckShield analysis, after the hack, the attacker sent the stolen assets to the Ethereum network and then exchanged them for unshETH in order to transfer funds to the Ankr staking service. Subsequently, he laundered the cryptocurrency through the Tornado Cash mixer.
Representatives of Rodeo Finance have not yet officially responded to the incident.
Igor Igamberdiev, head of research at Wintermute, told The Block that the attack was “manipulation of the oracle TWAP“.
According to him, the hacker artificially distorted the average price of an asset in order to gain an undue advantage during transactions. A similar exploit allowed for a flash credit attack, he said.
Igamberdiev specified that the attacker probably borrowed a huge amount, devalued the asset using an exploit, and then purchased even more coins at an artificially low price.
PeckShield experts added that a serious error was in the chain of exchanging USDC for wrapped ETH and then for unshETH. Anticipated slippage control, designed to prevent excessive price deviation, did not work properly due to a malfunction in the latter’s price oracle, the analysts explained.
Recall that in July, the Arcadia Finance DeFi protocol was hacked for $455,000. According to PeckShield, the code allegedly lacked a mechanism for cross-analysis of unconfirmed input data.
Earlier, Beosin experts reported that in the first half of 2023, the digital asset sector lost about $655.6 million as a result of hacker attacks, fraud and rug pull.
Found a mistake in the text? Select it and press CTRL+ENTER
ForkLog Newsletters: Keep your finger on the pulse of the bitcoin industry!