Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.
Arcadia Finance has been attacked on Ethereum and Optimism, with total profits of $400K. The root cause is that in function vaultManagementAction, the attacker can first transfer all the asset to his own controlled contract and re-entry the function liquidateVault to liquidiate the vault. In this case, the global variable "isTrustedCreditorSet" will be set as false and the Collateral check can be bypassed. Attack method (per SlowMist): Contract Vulnerability. Reported loss: $ 455,000.
- chain
- ethereum
- protocol
- Arcadia Finance
- bug_class
- logic
- date_occurred
- 2023-07-10
- loss_usd
- $455,000
- source_id
- sm:arcadia-finance::2023-07-10