Rodeo Finance, a yield farming project built on the Arbitrum blockchain, has become the latest victim of hackers, losing nearly $900,000 in the process.
The exploit was first discovered by the blockchain security company PeckShield, which called the attention of the Rodeo Finance team and notified the public. However, the decentralized finance (DeFi) project is yet to comment on the attack.
How Did It Happen?
The hacker conducted the exploit by compromising the performance of Rodeo’s time-weighted average price (TWAP) oracle. TWAP functions as an oracle that helps calculate an asset’s average price over a specified time. It allows crypto traders to perform large transactions without causing much price volatility in the market.
Attackers facilitate TWAP oracle manipulation on DeFi protocols by influencing the system to display a discounted average price for the asset in question. This opens the way for other kinds of attacks that will put the hacker in gains at the detriment of the protocol.
In Rodeo’s case, the hacker drained 472 ETH (worth $888,000) from the Arbitrum-based protocol and transported them to the Ethereum network. The attacker subsequently swapped the ill-gotten funds for other digital assets. Finally, the bad actor bridged the stolen assets to the Ethereum-based privacy mixer Tornado Cash to blur the chances of getting caught.
According to the price tracker CoinGecko, Rodeo’s native token, RDO, has plunged in value following the attack. The asset lost over 65% of its value a few hours after the attack commenced. RDO traded at $0.095 at press time, representing a 61% decrease from its value some hours back.
Are Arbitrum-Based Projects Secure?
Since its launch in August 2021, Arbitrum has garnered the attention of many users and projects. Despite security measures put in place by the Arbitrum developer team, several DeFi protocols built on its layer-2 mainnet have fallen victim to exploits in recent months.
In May, for example, Jimbos protocol parted ways with $7.5 million worth of assets after an attacker capitalized on an imbalance in the project’s liquidity pool to extract funds. Hope Finance, another Arbitrum-based project, lost $2 million to a smart contract exploit shortly after its launch.
Other Arbitrum-based projects have rugged their investors in the past few months.
