- Rodeo Finance is an Arbitrum-based decentralized finance (DeFi) protocol.
- The hacker manipulated value oracles and executed trades utilizing the manipulated value.
- The value of Rodeo Finance’s native token has plunged 54% after the hack.
On July 11, the Arbitrum-powered decentralised finance (DeFi) protocol Rodeo Finance was hacked ensuing in the lack of 810 Ether (ETH) value $1.53 million. The DEX was exploited utilizing a code vulnerability in its Oracle.
Peckshield, a blockchain analytics firm, revealed information displaying that the exploiter finally transferred the stolen funds from Arbitrum to Ethereum and exchanged 285 ETH for $unshETH. The ETH was subsequently positioned on ETH2 staking by the exploiter. Last however not least, the exploiter used Tornado Cash, a well-known mixer service, to route the stolen ETH.
Time-Weighted Average Price (TWAP) Orcale manipulation
The hacker manipulated the Rodeo’s Time-Weighted Average Price (TWAP) Orcale and tampered with the pricing of the ETH.
The TWAP Oracle is utilized by DeFi protocols to calculate the common value of property for a particular time body to mitigate value fluctuation as a result of the volatility in the crypto market. However, it’s susceptible to manipulations by means of synthetic skewing of the calculated common costs of property.
The exploiter first borrowed a massive sum of ETH after which artificially manipulated the value to purchase the similar asset at a deflated value. Later the hacker returned the mortgage and made a revenue based mostly on the low value after the manipulations.
Rodeo’s TVL drops considerably
Besides inflicting the Rodeo Finance (RDO) token to tumble 54%, the hack has additionally precipitated the whole worth locked (TVL) in Rodeo to drastically fall.
Before the hack, the DeFi protocol had $20 million in TVL, but it surely has since dropped under $500 after the hack.
This is the second time that Rodeo Finance is being hacked in July 2023. It was hacked once more on July 5, 2023, and $89,000 value of crypto property had been lost as a result of a vulnerability in its ‘mintProtocolReserves’ operate.
