A code vulnerability in its Oracle has led to another major exploit of Rodeo Finance, a DeFi protocol that operates on the Arbitrum layer 2 network. The attacker was able to drain $1.53 million from the protocol by manipulating the price feed of the Oracle.
Another Unforseable Exploit is the Culprit Behind the Attack to Rodeo Finance
Rodeo Finance, a DeFi protocol that operates on the Arbitrum blockchain, faced its second major exploit on July 11, losing 472 ETH worth around $888,000 million. The attacker exploited a code vulnerability in Rodeo’s Oracle, which provides price data for the protocol.
The attacker moved the illicit money from one blockchain network to another and then exchanged 285 ETH for a synthetic version of ETH, as PeckShield, a company that monitors blockchain activity, reported.
After the exchange, the attacker locked up ETH in a contract that allows earning rewards for securing the network before sending 150 ETH to Tornado Cash, a service that helps hide the transaction history.
Correction: the total loss w/ 472 $ETH (~$888K)
The exploiter swapped 285 $ETH for $unshETH and bridged them back to #Arbitrum to continue the hackhttps://t.co/wmlQ7pJlKV— PeckShieldAlert (@PeckShieldAlert) July 11, 2023
The attacker used a technique that involves manipulating the time-weighted average price (TWAP) oracle, which is a way of calculating the average price of an asset over a certain time span.
DeFi protocols use this method to reduce the impact of price fluctuations on their operations. However, this method also exposes them to the risk of oracle attacks, where the attacker can influence the price data that the oracle provides.
The exploiter’s strategy was to take a large loan of an asset, then drive down its price through market manipulation. By doing so, they could buy back the same asset at a much lower cost. This enabled them to repay the loan and pocket the difference as profit.
Rodeo Finance suffered a severe blow from this recent attack, which slashed its total value locked (TVL) from $20 million to under $500. The attacker’s wallet address holds more than 370 ETH, and Etherscan has marked it as linked to the Rodeo incident.
