- The R Roundup
- Posts
- RRUPDATE📍: Unmasking the Dark Secrets of Rodeo Finance’s Recent Attack
RRUPDATE📍: Unmasking the Dark Secrets of Rodeo Finance’s Recent Attack
Rodeo Finance, a decentralized finance (DeFi) platform, recently fell victim to a sophisticated attack known as an oracle manipulation.
The R Roundup.sol
July 11, 2023
RRUPDATE📍: Unmasking the Dark Secrets of Rodeo Finance’s Recent Attack
Rodeo Finance, a decentralized finance (DeFi) platform, recently fell victim to a sophisticated attack known as an oracle manipulation.
The attacker managed to abscond with approximately 810 ether, equivalent to $1.5 million, on the Arbitrum network, marking the latest incident in a string of exploits targeting the DeFi space.
Our analysis shows that the @Rodeo_Finance hack (w/ ~$1.53M loss) is a so-called "ForceInvestment" hack: the Investor.earn() routine has a flaw that can be forced to swap $USDC -> $WETH -> $unshETH, but the slippage control cannot take effect as expected due to the flawed… https:twitter.com/i/web/status/1…:
— PeckShield Inc. (@peckshield)
9:39 AM • Jul 11, 2023
According to PeckSheild's findings, the attacker swiftly transferred the illicitly obtained funds from Arbitrum to Ethereum. Subsequently, the stolen tokens were exchanged for various other assets before being converted back into ether. In the final stage of the exploit, the ether was routed through Tornado Cash, a widely used transaction mixer on the Ethereum network, effectively masking the trail of the funds.
Despite the severity of the attack, the team at Rodeo Finance has yet to issue an official response or statement regarding the incident. Gor Igamberdiev, the head of research at Wintermute, referred to the attack as a “TWAP oracle manipulation.”
In the realm of DeFi, TWAP, or Time-Weighted Average Price, serves as an oracle that calculates the average price of an asset over a specific time period. This technique is typically employed to mitigate the impact of short-lived price fluctuations.
DeFi hackers exploit TWAP oracles by artificially distorting the calculated average price of an asset, granting them an unfair advantage during transactions. Such manipulation creates a fertile ground for various forms of attacks, including flash loan exploits. In this type of exploit, the attacker borrows a substantial amount of a particular asset, devalues it through TWAP oracle manipulation, and then acquires more of the same asset at the artificially reduced price. By repaying the loan, the attacker retains the surplus, thus profiting from an intricate manipulation scheme.
Over the past few years, complex maneuvers like these have become go-to tactics for hackers who manipulate oracle price data feeds to carry out their exploits, as seen in the case of Rodeo Finance. The Rodeo exploit is not an isolated incident; rather, it is part of an alarming trend that has plagued the Arbitrum ecosystem in recent months.
As a reminder, this is not a trading signal or investment advice; it is an opinion, and each trader/investor should know and understand the risks of trading cryptocurrencies.
This should not be regarded as financial advice; feel free to familiarise yourself with our NFA disclaimer.
Reply