Arbitrum-based DeFi protocol, Rodeo Finance has suffered its second exploit in the space of one week. This time, the attacker managed to cart away with a whopping 472 ETH amounting to $888,000 after exploiting a vulnerability in the code.
Smart contracts audit firm, QuillAudit gave a detailed explanation on how the attacker carried out the heist.
They described how the attacker was able to exploit a vulnerability in the implementation of the Time-Weighted Average Price (TWAP) oracle.
TWAP is a pricing algorithm adopted by DeFi protocols to calculate the average price of an asset over a set period to cushion the effect of price volatility. After manipulating the TWAP protocol, the hacker was able to borrow 400k USDC by calling the Investor.earn function. He then swapped it back to the CamelotDEX pool and sold the unshETH back to the pool.
In a nutshell, he borrowed assets, artificially lowered the price, repaid the loan and made profits off the manipulated price discrepancy.
The attacker bridged the funds from Arbitrum to Ethereum and staked the ETH on ETH 2.0 staking. He then laundered the loot via crypto mixer, Tornado Cash.
Rodeo Protocol issued a statement regarding the hack, acknowledging that an initial amount of $1.7m was stolen. However, they successfully recovered $810k, resulting in a remaining deficit of $880k. They also highlighted that the sandwich attack on their TWAP oracle marked the first occurrence of its kind on the Arbitrum platform.
“Like PeckShield mentioned, the attack occurred because of one of our oracles meant to be twap for Camelot’s uniswap v2 pools was sandwiched (a first on Arbitrum) just around it’s price update in order to inflate it’s price,” Rodeo Finance said.
“The protocol was placed in paused state to protect funds and will remain so until a remediation plan has been finalized and implemented alongside the advice of multiple security experts. We are working with partners to attempt to track and freeze stolen assets. The next steps are to work with security auditors to finalize the plan of recovery, which will be shared as soon as deemed secure.”
RDO crashes following hack
As expected, RDO plummeted drastically after the exploit. At the time of writing, RDO is trading at $0.1226 after losing more than 51% of its value in the last 24 hours.
The token similarly dipped by 53% on the 5th of July after Rodeo Protocol was hacked for $89,000 due to a vulnerability in their ‘mintProtocolReserves’ function.