Arbitrum-based Rodeo Finance has misplaced $888,000 in a latest assault.
A “ForceInvestment” hack was deployed, permitting the attacker to steal 472 Ethereum ($888,000). The pockets later despatched 150 ETH into mixer Twister Money, leaving 371 ETH remaining within the pockets.
The exploiter initially funded 50 ETH from Twister Money to execute the hack.
Arbitrum is a well-liked layer-2 scaling resolution for the Ethereum community that makes use of optimistic roll-up know-how.
Blockchain safety agency PeckShield, first highlighted the assault on Twitter with a hyperlink to the attack transaction commenting, “Hello, @Rodeo_Finance it’s your decision to have a look.”
The attacker used the “Investor.earn()” operate to power a swap from Rodeo’s interest-bearing USDC pool. First, the exploiter took 290 Wrapped Ethereum (WETH) from the pool, bridging the belongings to the Ethereum community earlier than utilizing oracle manipulation to inflate the worth of their ETH by swapping it for unshETH.
unshETH is a DeFi challenge geared toward selling validator decentralization by making a market for staked ETH liquidity wherein validators compete to supply the most effective yield.
When the above swap is carried out, the slippage management—the distinction between a commerce’s order and its execution—is invalid. This meant that the conversion of WETH to unshETH didn’t replicate a good market worth.
The attacker then bridged again to the Ethereum community to steal one other 230 WETH from the Rodeo vault.
Earlier than bridging again to the Ethereum community, sending 150 ETH into Twister Money and leaving 371 ETH within the pockets.
A complete of 520 WETH was grabbed from the Rodeo vault however solely 472 WETH is counted as losses. That is because of the attacker funding the pockets with 50 ETH to execute the exploit.
PeckShield initially reported this as a $1.5 million loss however later corrected it to a $888,000 loss resulting from a double calculation.
