The Arcadia Finance platform, a decentralized finance (DeFi) protocol, recently experienced a cyber attack leading to the loss of $455,000 worth of cryptocurrency. According to the app’s development team, the hacker exploited a bug known as the reentrancy exploit, which interrupts multi-step processes in the protocol’s system, thus preventing their correct completion.
In the hacker’s intrusion, the liquidateVault() function, which lacked a reentrancy check, was the point of exploitation. With the nefarious actor’s intervention, the function was called upon prematurely – before the completion of a health check and after withdrawal of funds. The fallout was that the hacker could borrow funds and not settle the debt, ultimately draining the protocol.
This incident has brought to light the need for comprehensive and robust security checks at every step of the processes within DeFi protocols. Yet, arguably, an overly stringent security system might hamper the easy operability and flexibility that DeFi platforms promise.
For instance, in the aftermath of the Arcadia hack, the team paused contracts and began working on a patch, effectively bringing the entirety of the protocol’s operations to a halt. While it shows a commendable response and commitment towards customer safety, such pauses can potentially disrupt the operations of genuine users.
Yet, the alternative is fraught with issues as well. In the absence of stringent security checks, a hacker was able to essentially ‘rope-a-dope’ the system. Utilising a flash loan, they placed an initial deposit in an Arcadia vault, borrowed funds, deposited said money back into the vault, withdrew all funds, leaving nothing but a massive debt. The hacker then used a malicious contract to call upon liquidateVault() before a health check could register the debt.
Subsequently, the vault was liquidated of all liabilities, leaving it ostensibly ‘healthy’. Upon the health check’s conclusion, transactions went through without a hitch, and this sequence was repeated until a total of $455,000 was drained.
While the Arcadia team has actively begun efforts to track down the intruder, offering both threats and pleas for the return of the funds, the incident does bring to light the double-edged sword that is security within DeFi protocols.
To balance the benefits of decentralisation and ease of operability with robust security checks is a task that might appear Sisyphean. However, given the mounting issues relating to breaches and losses, it is a mission that developers and technologists within the DeFi space need to undertake post-haste. As it stands, both the Arcadia finance team and their users are left to grapple with the fallout from this unprecedented exploit.
Given the frequency of such incidents in the crypto space, it becomes apparent that the DeFi community must tread a path, not just between optimising their platforms for smooth functionality but also ensuring the safeguarding of user assets. The ambiguity surrounding the protocols’ security has once again been brought into focus, necessitating a decisive and effective solution.
Source: Cointelegraph