Ethereum Hack: DeFi Initiative Rodeo Finance Loses $888,000

A perpetrator escaped with approximately $888,000 worth of Ethereum from Rodeo’s USDC pool, which generated interest. A recent cyberattack cost Arbitrum-based Rodeo Finance $888,000 in losses.

The attack, known as the “ForceInvestment” incident, allowed the perpetrator to make off with 472 Ethereum, leaving Rodeo Finance reeling from the aftermath. The attacker targeted Rodeo Finance’s USDC pool, which generates interest for its users.

By exploiting the “Investor. earn()” feature, the hacker coerced a swap from the pool, withdrawing 290 Wrapped Ethereum (WETH) units and transferring them to the Ethereum network.

However, things took a turn when the perpetrator attempted to manipulate oracles to artificially inflate the value of their acquired Ethereum (ETH) by exchanging it for unsheath tokens.

The mechanism designed to control slippage, which ensures the accuracy of fair market value representation during transactions, failed during this exploit. Consequently, the conversion from wrapped ETH (WETH) to unshETH did not reflect the actual market value, enabling the attacker to profit further.

PeckShield, a renowned blockchain security firm, sounded the alarm by sharing details of the attack on Twitter. They tagged Rodeo Finance in their message, urging them to investigate the incident promptly.

Hi, @Rodeo_Finance you may want to take a look: https://t.co/ExSpR3qzqj

— PeckShield Inc. (@peckshield) July 11, 2023

PeckShield initially reported the losses to be around $1.5 million, but after revising their calculations, they confirmed the actual amount to be $888,000.

Tornado Cash Mixer & Rodeo Vault Targeted In The Attack

Following the attack’s initial phase, the perpetrator used the Tornado Cash mixer to anonymize their transactions. They transferred 150 ETH to the mixer, leaving 371 ETH in the compromised wallet.

By leveraging the mixer’s features, the hacker attempted to cover their tracks and further complicate the identification process. The exploit did not end there. The attacker returned to the Ethereum network and managed to gain control of 520 WETH from the Rodeo vault.

Strangely, when disclosing the extent of their actions, the perpetrator only admitted to obtaining 472 WETH. It remains unclear why they chose to understate their total haul.

As a DeFi project built on the Arbitrum network, Rodeo Finance aims to enhance validator decentralization. It achieves this through a marketplace that facilitates the trading of staked ETH liquidity.

The project promotes healthy competition among validators, focusing on providing attractive yields for participants. However, this recent incident has exposed vulnerabilities in Rodeo Finance’s security infrastructure. It has raised concerns about the platform’s overall safety and resilience.

Related Reading | Ethereum Staking Nears 20% Of Supply Amid Regulatory Hurdles

As the investigation unfolds, the Rodeo Finance team must work swiftly to address the vulnerabilities exploited in the attack. They also need to reassure their users of their commitment to security.