Arcadia Finance Rebalancer swapData Delegated Power Abuse

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Arcadia Finance Logo/Homepage

Arcadia Finance, a DeFi platform known for its automated liquidity strategies, was exploited via its rebalancer contract, which allowed arbitrary "swapData" execution. The attacker stole approximately $3.5 million in assets, including 2.3M USDC and 227k USDS. In response, Arcadia issued urgent warnings for users to disconnect rebalancers and revoke token permissions, and later introduced a bounty of up to $360,000 for information leading to fund recovery. The platform initially gave the exploiter a 12-hour window to respond but did not offer a traditional bounty deal, and as of now, no funds have been recovered.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17]

About Arcadia Finance

Arcadia is a DeFi platform designed to simplify and optimize liquidity management across decentralized exchanges (DEXs) such as Uniswap, Aerodrome, and Alienbase. It enables users to manage, automate, and leverage liquidity positions with minimal effort through a unified interface. Users can compare yield opportunities across different pools and DEXs, select from curated strategies, and access top-performing token pairs—from major assets like ETH and BTC to trending memecoins. Arcadia supports a wide range of tokens and liquidity positions, making it accessible to both retail and institutional investors seeking yield and capital efficiency.

Arcadia offers a variety of advanced automated strategies with varying risk profiles and leverage options. These include Pseudo Delta Neutral strategies (ETH or USD-focused), Bullish or Bearish Crypto strategies, and more, with potential APYs ranging from around 30% to over 680%. Each strategy outlines leverage limits, supported pools, and risks such as interest rate volatility and liquidation. With one-click execution, users can borrow, swap, and provide liquidity simultaneously, enhancing yield while maintaining relative control over risk exposure. Tools also allow users to customize parameters like tick ranges and leverage for precision optimization.

The platform is audited by multiple firms (including Sherlock and bytes032), and is backed by leading investors like Coinbase Ventures and Mechanism Capital. Arcadia is trusted by a growing DeFi community for its intuitive UI, transparency, and responsive support. Institutions and large capital allocators can collaborate directly with Arcadia to develop tailored strategies and access deep liquidity. With no lockups or withdrawal fees, Arcadia is also a viable passive income source for lenders. The community continues to praise the protocol’s usability, risk controls, and continuous product improvement.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

Arcadia Finance was exploited through its rebalancer contract, resulting in a $3.5 million loss.

Key Event Timeline - Arcadia Finance Rebalancer swapData Delegated Power Abuse
Date Event Description
July 14th, 2025 10:05:58 PM MDT Reported Time Of Attack The reported time of the attack happening.
July 14th, 2025 10:48:00 PM MDT CertiK Alert Tweet Posted CertiK posts a tweet notifying of the incident happening. At this time, losses are reported as $1.6m.
July 14th, 2025 10:57:00 PM MDT Arcadia Finance Posts Announcement Arcadia Finance posts a public acknowledgement that they have detected unauthorized activity.
July 15th, 2025 12:44:00 AM MDT Cyvers Reports Initial Attack Cyvers reports the initial attack for 2.5M USD against Arcadia Finance.
July 15th, 2025 2:50:00 AM MDT Cyvers Reports More Attacks Cyvers reports additional attacks happening for another $1m USD in multiple transactions.
July 15th, 2025 4:47:00 AM MDT The Block Article Posted The Block shares an article about the incident.

Technical Details

The exploiter seems to use arbitrary "swapData" on their rebalancer contract to execute the exploit.

Total Amount Lost

Stolen tokens include 2.3M USDC, 227k USDS, plus an additional $1m USD worth of tokens.

Because the $1m USD happened subsequent to the other tokens, some sources report $2.5m USD being taken, while others report $3.5m USD.

The total amount lost has been estimated at $3,600,000 USD.

Immediate Reactions

Arcadia Finance originally posted a notice:

"The team is aware of unauthorized transactions via a Rebalancer. Remove all permissions for asset managers. More information will follow."

They provided instructions for users to disconnect their wallets and stop losing funds.

Ultimate Outcome

Warning showing up on the homepage: "DISCONNECT REBALANCERS AND COMPOUNDERS FROM YOUR ACCOUNTS. We've detected unusual activity affecting automation features. Please disconnect all rebalancers and compounders from your account now. Also revoke access to all ERC20 tokens the account had access to."

Arcadia Finance offered the attacker a 12 hour window in which they could contact the team. Their post was highly threatening to the exploiter, and did not appear to offer a 10% bounty.

A bounty of $360,000 USD was paid for the discovery.

Total Amount Recovered

There is no indication that any funds have been recovered.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

Arcadia Finance has introduced a bounty for information that leads to the recovery of the funds, with rewards up to $360,000 USD.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Arcadia Finance - "We will allow the attacker a 12h grace period starting now to contact us, after which a bug bounty will be opened rewarding 10% of funds returned if the intel leads to a recovery." - Twitter/X (Accessed Jul 17, 2025)
  2. Cyvers Alerts - "ALERT Today, our system has detected a multiple suspicious transaction involving @ArcadiaFi on #Base with loss of 2.5M." - Twitter/X (Accessed Jul 17, 2025)
  3. Cyvers Alerts - "UPDATE @ArcadiaFi attacker has just executed another ~$1M from #arcadia in multiple transactions!" - Twitter/X (Accessed Jul 17, 2025)
  4. Arcadia Finance Loses $2.5 Million in DeFi Exploit - AInvest (Accessed Jul 17, 2025)
  5. Arcadia Finance exploited, $3.5M stolen and converted to WETH - CoinTelegraph (Accessed Jul 17, 2025)
  6. $3.5 million exploit hits DeFi platform Arcadia on Base - The Block (Accessed Jul 17, 2025)
  7. CertiK Alert - "We have detected multiple suspicious transactions on Base... The exploiter took ~$1.6M from @ArcadiaFi, likely through arbitrary 'swapdata' on its rebalancer contract." - Twitter/X (Accessed Jul 17, 2025)
  8. First Attack Transaction - CertiK Skylens (Accessed Jul 17, 2025)
  9. Second Attack Transaction - CertiK Skylens (Accessed Jul 17, 2025)
  10. Arcadia Finance Hack - Revoke.Cash (Accessed Jul 17, 2025)
  11. Arcadia Finance Hack 2025 – What We Know So Far - GetFailSafe (Accessed Jul 17, 2025)
  12. Arcadia Finance Homepage (Accessed Jul 17, 2025)
  13. Arcadia Finance - Fjord Foundry (Accessed Jul 17, 2025)
  14. Arcadia Finance - Ethereum Ecosystem (Accessed Jul 17, 2025)
  15. Competitors To Arcadia Finance - Messari (Accessed Jul 17, 2025)
  16. How Arcadia Finance Integrates Virtual TestNets at Each Stage of Development - Tenderly Blog (Accessed Jul 17, 2025)
  17. Arcadia Finance - LinkedIn (Accessed Jul 17, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Arcadia_Finance_Rebalancer_swapData_Delegated_Power_Abuse&oldid=6850"