Rodeo Finance Exploited for $1.5m in Ethereum $ETH

Rodeo Finance, an Arbitrum-based decentralized finance (DeFi) protocol, suffered a significant blow, losing $1.53 million in Ethereum due to a code vulnerability exploitation in its Oracle. This is the second exploit that the DeFi platform has endured in a span of a week, underscoring the escalating security issues facing such protocols. The attacker manipulated a key function to siphon funds from Rodeo's interest-bearing USDC pool, taking advantage of a vulnerability that enabled them to force a swap. Initially, 290 Wrapped Ethereum (WETH) was taken, before being bridged to the Ethereum network. The infiltrator used oracle manipulation to inflate their ETH value by swapping it for unshETH, a DeFi project aimed at promoting validator decentralization. Underlying Vulnerabilities Exploited The oracle manipulation permitted the conversion of WETH to unshETH at a rate not reflecting fair market value. The exploiter then seized the opportunity to return to the Ethereum network, further draining 230 WETH from the Rodeo vault. Before returning to the Ethereum network, they sent 150 ETH into Tornado Cash, effectively masking their tracks. The remaining balance of 371 ETH was left in the wallet. Although 520 WETH was extracted from the Rodeo vault, only 472 WETH is counted as losses, due to the attacker initially funding the wallet with 50 ETH to facilitate the exploit. Repeating Exploits This episode of Rodeo Finance’s exploitation comes shortly after the protocol suffered another security breach just last week, where a vulnerability in their mintProtocolReserves function led to a loss of approximately $89,000. Rodeo Finance isn't alone in facing these security issues. The Arbitrum network in 2023 alone has witnessed a total of 21 recorded incidents of some form of exploit, leading to a collective loss of over $20 million. The recent Rodeo Finance exploit, causing a $1.53 million loss, is the fifth-largest recorded on Aribitrum this year. After the exploit, the total value locked (TVL) in the DeFi protocol, initially at $20 million, fell below $500. Notably, the price of the native token of the DeFi protocol plummeted by over 53% in the last 24 hours. Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.