Arcadia Finance exploited for $2.5M due to a vulnerability in Rebalancer contract

Decentralized finance protocol Arcadia Finance has been exploited, and estimates suggest roughly $2.5 million worth of cryptocurrency has been drained. Arcadia Finance, which operates on the Base blockchain, was targeted on July 15 in a swift and sophisticated attack that drained user funds from multiple vaults. According to blockchain security firm Cyvers, the attacker exploited a flaw in Arcadia’s Rebalancer contract by passing in arbitrary swap parameters. This allowed them to trigger unauthorised token swaps that bypassed normal checks, ultimately allowing them to drain funds from user vaults without proper validation. At around 04:05:58 UTC today, the attackers deployed a malicious contract and triggered a sequence of unauthorized transactions. Within a minute, the attacker began siphoning funds from the platform and subsequently converting the stolen tokens to Wrapped Ethereum (WETH) on the Base network before bridging them to Ethereum mainnet addresses. Cyvers traced the funds and found that the attacker received 199 WETH and over 965 million AERO tokens during the swap process. The stolen cryptocurrencies included approximately 2.3 million USDC and 227,000 USDS, distributed across 12 affected addresses. To obscure their trail, the attacker distributed the funds across intermediary wallets, with Cyvers estimating that the attacker may be preparing to launder the funds via cryptocurrency mixers. As an immediate post-incident measure, Arcadia Finance has issued a public alert urging users to revoke permissions granted to the platform’s Rebalancer. The team has acknowledged the exploit on social media, confirming “unauthorised transactions via a Rebalancer” and assured users that more information would follow. Researchers at Cyvers have recommended contacting exchanges and bridge operators to blacklist the attacker’s addresses on Base and Ethereum and file reports with law enforcement to prevent further attacks. This is not the first time Arcadia Finance has become the victim of an exploit that led to losses. In July 2023, the protocol lost around $455,000 due to another vulnerability in code across some of its contracts. At the time, most of the stolen funds were funneled through Tornado Cash. DeFi exploits continue to plague crypto users The Arcadia Finance exploit is the latest in a string of defi-related exploits that have transpired in recent months. Last month alone, multiple protocols were exploited by bad actors. For instance, in late June, a hacker was able to launch a price manipulation attack on DeFi protocol Resupply to siphon roughly $9.6 million in crypto. Just days before, Blockchain security auditor Hacken lost roughly $250,000 worth of its native HAI token due to a compromised private key. Over $2.47 billion has been lost to hacks, scams, and exploits across the crypto sector, according to blockchain security firm CertiK. As previously covered in Invezz, Q2 2025 alone saw more than $800 million in losses from 144 incidents, although the figure represented a 52% drop in total value lost compared to the first quarter. The post Arcadia Finance exploited for $2.5M due to a vulnerability in Rebalancer contract appeared first on Invezz

Source: Invezz