Rodeo Finance, an Arbitrum-based Layer-2 DeFi project, recently fell victim to a significant hack resulting in a loss of $888,000. The attack, known as "ForceInvestment," enabled the attacker to steal 472 Ethereum ($888,000) from the platform. Subsequently, the hacker sent 150 ETH into the mixer Tornado Cash, leaving 371 ETH remaining in the compromised wallet.
Arbitrum, a popular scaling solution utilizing optimistic roll-up technology for the Ethereum network, served as the infrastructure for Rodeo Finance. The attack was initially brought to attention by blockchain security firm PeckShield via a tweet that included a link to the transaction, advising Rodeo Finance to investigate the matter.
Hi, @Rodeo_Finance you may want to take a look: https://t.co/ExSpR3qzqj
— PeckShield Inc. (@peckshield) July 11, 2023
The attacker leveraged the "Investor.earn()" function to trigger a forced swap within Rodeo's interest-bearing USDC pool. This enabled the hacker to extract 290 Wrapped Ethereum (WETH) from the pool, which was then bridged to the Ethereum network. By manipulating the oracle, the attacker inflated the price of their ETH and swapped it for unshETH.
UnshETH, a DeFi project aimed at facilitating validator decentralization by creating a marketplace for staked ETH liquidity, became a part of the attacker's strategy. However, the swap from WETH to unshETH did not accurately reflect the fair market value due to invalid slippage control, which caused a deviation between the intended trade order and execution.
After bridging back to the Ethereum network, the attacker proceeded to steal an additional 230 WETH from the Rodeo vault. Prior to the final bridge, the hacker utilized Tornado Cash to send 150 ETH, leaving 371 ETH in the compromised wallet.
In total, 520 WETH was taken from the Rodeo vault, with 472 WETH being accounted for as losses. This discrepancy is due to the attacker initially funding the wallet with 50 ETH to execute the exploit.
PeckShield initially reported the loss as $1.5 million, but they later corrected it to $888,000 following a double calculation error.
