- Rodeo Finance is a decentralized finance (DeFi) protocol based mostly on Arbitrum.
- The hacker manipulated worth oracles and executed trades utilizing the manipulated worth.
- The worth of the native Rodeo Finance token plunged 54% after the hack.
On July 11, Arbitrum-powered decentralized finance (DeFi) protocol Rodeo Finance was hacked, ensuing within the lack of 810 Ether (ETH) value $1.53 million. The DEX was exploited utilizing a code vulnerability in its Oracle.
Peckshield, a blockchain analytics agency, revealed information exhibiting that the exploit finally moved the stolen funds from Arbitrum to Ethereum and exchanged 285 ETH for $unshETH. The ETH was then positioned on the ETH2 staking by the miner. Lastly, the exploiter used Twister Money, a widely known mixing service, to route the stolen ETH.
Oral manipulation of time-weighted common worth (TWAP)
The hacker manipulated the rodeo’s time-weighted common worth (TWAP) orcale and altered the value of ETH.
The Oracle TWAP is utilized by DeFi protocols to calculate the typical worth of property over a particular interval to clean out worth fluctuations resulting from volatility within the crypto market. Nevertheless, it’s weak to artificially biased manipulations of calculated common asset costs.
The exploiter first borrowed a big sum of ETH after which artificially manipulated the value to purchase the identical asset at a deflated worth. Later, the hacker repaid the mortgage and made a revenue based mostly on the low worth after the manipulations.
Rodeo’s TVL Drops Considerably
Along with inflicting the Rodeo Finance (RDO) token to plummet by 54%, the hack additionally led to a drastic drop within the Whole Worth Locked (TVL) in Rodeo.
Earlier than the hack, the DeFi protocol had $20 million in TVL, but it surely has since fallen under $500 after the hack.
That is the second time Rodeo Finance has been hacked in July 2023. It was hacked once more on July 5, 2023 and $89,000 in crypto property have been misplaced resulting from a vulnerability in its “mintProtocolReserves” perform.
