Arbitrum-based Rodeo Finance raises $1.53M for the second time in a week


Arbitrum-based decentralized finance (DeFi) protocol Rodeo Finance was exploited on July 11 for $1.53 million. The DeFi protocol was exploited using a code vulnerability in its oracle, leading to the loss of over 810 Ether (ETH).

According to data shared by blockchain analytics firm Peckshield, the exploiter later ported the stolen funds from Arbitrum to Ethereum and swapped 285 ETH for unshETH. The exploiter then deposited the ETH on Eth2 staking. Finally, the exploiters routed the stolen ETH using the popular mixer service Tornado Cash, which exploiters often use as an exit route to obscure transaction footprints.

The movement of money from rodeo exploits. Source: peckshield

The exploiter used Time-Weighted Average Price (TWAP) oracle manipulation. The TWAP Oracle is used by DeFi protocols to calculate the average price of an asset for a specific time frame in order to reduce price fluctuations due to crypto market volatility.

However, this leaves a vulnerability for exploiters to manipulate these predictions by artificially lowering the calculated average price of an asset. This allows them to gain an edge during transactions and then take advantage of the protocol.

An exploiter first borrows a large amount of an asset and then artificially manipulates the price in order to purchase the same asset at an inflated price. The exploiter later returns the loan and makes a profit based on the low price managed by manipulation.

Connected: Crypto scams are about to grow as AI grows

Exploited wallet address still holds over 374 ETH and Etherscan Marked The address linked to the Rodeo exploit had $20 million in Total Value Locked (TVL) in the DeFi protocol, which has dropped below $500 since the exploit.

Rodeo Finance TVL Post Exploit. Source: Defilama

The exploit also caused the price of the DeFi protocol’s native token to drop by more than 53% in the past 24 hours.

DRDO token price drop after exploit. Source: coingeco

In 2023 alone, 21 incidents of some sort of exploit have been reported on the Arbitrum network, with a total loss of over $20 million. The latest exploit of $1.53 million makes it the fifth largest exploit recorded on Eribitrum in 2023. Rodeo Finance was also exploited for approximately $89,000 on July 5 due to a vulnerability in their MintProtocolReserve function.

magazine: Should You Give Kids the ‘Orange Pill’? the case for bitcoin children’s books