Rodeo Finance Exploit on Arbitrum Leads to $888,000 Loss

Summary

On July 11, 2023, Rodeo Finance on Arbitrum was breached, losing around 472 ETH ($888,000) due to an attacker exploiting the TWAP Oracle. By manipulating the oracle’s price calculation, through a “sandwich” attack, they inflated asset prices. This allowed them to mislead the protocol, borrow against the inflated prices from the USDC Pool, and conduct swaps to profit from the manipulated price discrepancies, effectively bypassing Rodeo’s security checks.

Attackers

The identity of the attacker is unknown.

Hacker Arbitrum Wallet:

Losses

The loss amounted to 472 ETH worth $880,000.

Timeline

  • July 11, 2023, 07:54 AM UTC: The first malicious transaction occurred.
  • July 11, 2023, 04:05 PM UTC: Rodeo Finance reported about the exploit.
  • July 11, 2023, 05:26 PM UTC: Rodeo Finance sent an on-chain message to the attacker to negotiate the return of the stolen funds.
  • July 12, 2023: Rodeo Finance published an exploit Post-Mortem.

Security Failure Causes

  • Price Oracle Manipulation: The exploit combined a smart contract vulnerability, exploiting TWAP Oracle’s pricing mechanism, and using flash loans to manipulate asset prices significantly. This led to the protocol making decisions based on incorrect asset prices, ultimately compromising the system’s integrity.