An exploiter was able to run away with roughly $888,000 in Ethereum from Rodeo’s interest-bearing USDC pool.
•
Hi, @Rodeo_Finance you may want to take a look: https://t.co/ExSpR3qzqj
— PeckShield Inc. (@peckshield) July 11, 2023
•
Arbitrum-based Rodeo Finance has lost $888,000 in a recent attack.
A “ForceInvestment” hack was deployed, allowing the attacker to steal 472 Ethereum ($888,000). The wallet later sent 150 ETH into mixer Tornado Cash, leaving 371 ETH remaining in the wallet.
The exploiter originally funded 50 ETH from Tornado Cash to execute the hack.
Arbitrum is a popular layer-2 scaling solution for the Ethereum network that uses optimistic roll-up technology.
Blockchain security firm PeckShield, first highlighted the attack on Twitter with a link to the attack transaction commenting, "Hi, @Rodeo_Finance you may want to take a look."
Hi, @Rodeo_Finance you may want to take a look: https://t.co/ExSpR3qzqj
— PeckShield Inc. (@peckshield) July 11, 2023
The attacker used the “Investor.earn()” function to force a swap from Rodeo’s interest-bearing USDC pool. First, the exploiter took 290 Wrapped Ethereum (WETH) from the pool, bridging the assets to the Ethereum network before using oracle manipulation to inflate the price of their ETH by swapping it for unshETH.
unshETH is a DeFi project aimed at promoting validator decentralization by creating a marketplace for staked ETH liquidity in which validators compete to offer the best yield.
When the above swap is performed, the slippage control—the difference between a trade’s order and its execution—is invalid. This meant that the conversion of WETH to unshETH did not reflect a fair market value.
The attacker then bridged back to the Ethereum network to steal another 230 WETH from the Rodeo vault.
Before bridging back to the Ethereum network, sending 150 ETH into Tornado Cash and leaving 371 ETH in the wallet.
A total of 520 WETH was grabbed from the Rodeo vault but only 472 WETH is counted as losses. This is due to the attacker funding the wallet with 50 ETH to execute the exploit.
PeckShield originally reported this as a $1.5 million loss but later corrected it to a $888,000 loss due to a double calculation.