- Rodeo Finance is an Arbitrum-based decentralized finance (DeFi) protocol.
- Hackers manipulated price oracles and used manipulated prices to execute trades.
- After the hack, the price of Rodeo Finance’s native token dropped 54%.
On July 11th, Rodeo Finance, an Arbitrum-powered decentralized finance (DeFi) protocol, was hacked, resulting in a loss of 810 Ether (ETH) worth $1.53 million. DEX was exploited using a vulnerability in Oracle’s code.
Blockchain analytics firm Pecshield has revealed data showing that abusers ultimately transferred the stolen funds from Arbitrum to Ethereum, exchanging 285 ETH for $unshETH. The ETH was then placed on his ETH2 stake by the exploiter. Last but not least, the abuser used Tornado Cash, a well-known mixer service, to route his stolen ETH.
Time Weighted Average Price (TWAP) Operation
Hackers manipulated rodeo time-weighted average price (TWAP) Orcale and altered ETH pricing.
TWAP Oracle is used by DeFi protocols to calculate the average price of an asset over a given period of time in order to mitigate price volatility caused by cryptocurrency market volatility. However, it is vulnerable to manipulation by artificially skewing the calculated average price of the asset.
Exploiters first borrowed a large amount of ETH and then manipulated the price to buy the same asset at a reduced price. The hackers then paid off the loan and made a profit based on the post-manipulation low.
Rodeo TVL dropped significantly
The hack not only dropped the Rodeo Finance (RDO) token by 54%, but also caused Rodeo’s Total Value Locked (TVL) to drop significantly.
Before the hack, the DeFi protocol’s TVL had $20 million, but after the hack it fell below $500.
This is the second time Rodeo Finance has been hacked in July 2023. It was hacked again on July 5, 2023, resulting in the loss of $89,000 worth of crypto assets due to a vulnerability in the “mintProtocolReserves” function.