Rodeo Finance Exploit on Arbitrum Leads to $888,000 Loss

July 11, 2023

Summary #

On July 11, 2023, Rodeo Finance on Arbitrum was breached, losing around 472 ETH ($888,000) due to an attacker exploiting the TWAP Oracle. By manipulating the oracle’s price calculation, through a “sandwich” attack, they inflated asset prices. This allowed them to mislead the protocol, borrow against the inflated prices from the USDC Pool, and conduct swaps to profit from the manipulated price discrepancies, effectively bypassing Rodeo’s security checks.

Attackers #

The identity of the attacker is unknown.

Hacker Arbitrum Wallet:

0x2f3788f2396127061c46fc07bd0fcb91faace328

Losses #

The loss amounted to 472 ETH worth $880,000.

Timeline #

July 11, 2023, 07:54 AM UTC: The first malicious transaction occurred.
July 11, 2023, 04:05 PM UTC: Rodeo Finance reported about the exploit.
July 11, 2023, 05:26 PM UTC: Rodeo Finance sent an on-chain message to the attacker to negotiate the return of the stolen funds.
July 12, 2023: Rodeo Finance published an exploit Post-Mortem.

Security Failure Causes #

Price Oracle Manipulation: The exploit combined a smart contract vulnerability, exploiting TWAP Oracle’s pricing mechanism, and using flash loans to manipulate asset prices significantly. This led to the protocol making decisions based on incorrect asset prices, ultimately compromising the system’s integrity.

Market Health Metrics API

Benford's Law

Volume distribution analysis

Time-of-Trade

Buy/Sell Ratio

VWAP

Attack Types

Entity Types

Target Entities

51% Attacks

Custodian Attacks

Flash Loan Attacks

Lockout Scams

Phishing Attacks

Reentrancy Attacks

Rug Pull Scam