Rodeo Finance Suffers $1.5 Million Loss due to Oracle Code Vulnerability

On July 11th, Rodeo Finance, a decentralized finance (DeFi) protocol operating on the Arbitrum platform, fell victim to an exploit, incurring a loss of $1.53 million.

This incident was facilitated through an exploit involving a code vulnerability in the protocol's Oracle, leading to a significant loss of more than 810 Ether (ETH).

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

What is a Crypto Bridge? (Explained with Animations)

SUBSCRIBE

ON YOUTUBE

Insights from the blockchain analytics company PeckShield shed light on the attacker's strategy. After exploiting Rodeo Finance, the hacker transferred funds from Arbitrum to Ethereum, swapping 285 ETH for unshETH.

Following this move, they staked the ETH on Eth2. Their final maneuver was to route the stolen ETH via the widely-used mixer service Tornado Cash.

The hacker utilized a sophisticated technique known as time-weighted average price oracle manipulation. DeFi protocols commonly use this method to determine the average asset price over a specific period, helping to mitigate potential volatility in the market.

However, this method can be manipulated by crafty attackers. By manipulating the calculated average price, they can exploit the protocol during a transaction. Essentially, they first borrow a large amount of assets, then abused the price to purchase the same asset at a deflated price. After returning the loan, the hacker can profit from the exploited low price.

As per Etherscan, the hacker's wallet address, linked to the Rodeo exploit, holds more than 374 ETH. In the aftermath of the exploit, the total value locked (TVL) in the DeFi protocol plummeted from $20 million to less than $500.

Furthermore, the native token's price suffered a steep 53% decline within 24 hours.

The year 2023 has seen a worrisome number of incidents on the Arbitrum Network. With 21 recorded exploits, losses exceed $20 million. This latest exploit of $1.53 million ranks as the fifth largest on Arbitrum in 2023.