Rodeo Finance, a decentralized finance (DeFi) protocol, fell victim to an exploit on July 11, resulting in a loss of $1.53 million. The exploit targeted a code vulnerability in Rodeo Finance's oracle, allowing the attacker to steal over 810 ETH. After the attack, the stolen funds were bridged from Arbitrum to Ethereum, with the attacker swapping 285 ETH for unshETH. The stolen ETH was then deposited into Eth2 staking and subsequently routed through the mixing Tornado Cash to obscure the transaction trail.
The exploit involved around manipulating a time-weighted average price oracle, which is commonly used by DeFi protocols to calculate asset prices over a specific time frame and mitigate price volatility. The attacker exploited this oracle by distorting the calculated average prices of assets, enabling them To gain an advantage during transactions and take advantage of the protocol's vulnerability.
The attacker employed a tactic of borrowing a significant amount of the asset, artificially manipulating the price to purchase the same asset at an advantageous rate. They would then repay the loan, profiting from the manipulated low price. The exploiter's wallet address still holds more than 374 ETH, and Etherscan has flagged the address as associated with the Rodeo exploit. The total value locked (TVL) in the Rodeo Finance protocol, which was initially $20 million, plummeted to below $500 following the exploit. Additionally, the protocol's native token exp experienced a sharp decline of over 53% in the past 24 hours.
In 2023 alone, the Arbitrum network has witnessed 21 incidents of exploitation, resulting in total losses surpassing $20 million. The recent Rodeo Finance exploit ranks as the fifth largest breach recorded on Arbitrum this year, with a value of $1.53 million. Notably, Rodeo Finance had already experienced an exploit on July 5 due to a vulnerability in the mintProtocolReserves function, leading to losses of approximately $89,000.
