Rodeo Finance, a DeFi protocol, has suffered an exploit that resulted in a loss of $888,000 from its coffers. The attacker took advantage of a programming flaw in the protocol’s Oracle, manipulated an asset’s price, and stole more than 472 ETH.
PeckShield described the exploit as a “ForceInvestment” hack. The attacker employed a technique used by DeFi protocols to determine an asset’s average price over a certain time period and reduce price fluctuations brought on by market volatility. By manipulating these time-weighted average price oracles used for this technique, the attacker could fraudulently inflate an asset’s price, purchase the same asset for less, and then profit from the artificially low price.
Our analysis shows that the @Rodeo_Finance hack (w/ ~$1.53M loss) is a so-called “ForceInvestment” hack: the Investor.earn() routine has a flaw that can be forced to swap $USDC -> $WETH -> $unshETH, but the slippage control cannot take effect as expected due to the flawed… pic.twitter.com/2j0bmQRe2r
— PeckShield Inc. (@peckshield) July 11, 2023
According to PeckShield, the attacker has exchanged part of the stolen ETH multiple times and transferred the fund through Tornado Cash to conceal their transaction trail. However, more ETH is reportedly left in a wallet address that Etherscan has linked to the attacker.
Following PeckShield’s report of the exploit, Rodeo Finance’s total value locked (TVL), which was $20 million, dropped to less than $500. The DeFi protocol’s native token has also experienced a 53% price decline during the day.
PeckShield originally reported that protocol lost $1.5 million, but it later corrected it to $888,000 and cited a double calculation.
This Rodeo Finance exploit is another in a series of DeFi hacks that have happened recently. On July 10, 2023, PeckShield reported an attack on Arcadia Finance, another non-custodial DeFi protocol. As a result of the attack, the protocol lost $455,000.
The attacker also took advantage of a programming flaw in Arcadia code to execute the attack. PeckShield claimed that the lack of reentrancy protection in Arcadia’s code made it easy for the attacker to bypass the internal health check of its vault and quickly liquidate its money.
If you want to read more news articles like this, visit DeFi Planet and follow us on Twitter, LinkedIn, Facebook, Instagram, and CoinMarketCap Community.
“Take control of your crypto portfolio with MARKETS PRO, DeFi Planet’s suite of analytics tools.”
