Rodeo Finance, founded by Arbitrum, lost $888,000 in a recent hack.
The “Force Investment” hack was implemented, allowing an attacker to steal 472 ethereum ($888,000). The wallet then sent 150 ETH to the Tornado Cash mixer, leaving 371 ETH in the wallet.
Initially, the exploiter funded 50 ETH from Tornado Cash to perform the hack.
Arbitrum is a popular layer 2 scaling solution for the Ethereum network that uses optimistic convolution technology.
Blockchain security company PeckShield first reported the attack on Twitter with a link to the transaction of the attack, commenting: “Hey @Rodeo_Finance, you might want to take a look.”
The attacker used the “Investor.earn()” function to force trading from the USDC pool with Rodeo interest. The exploiter first took 290 Wrapped Ethereum (WETH) from the pool by transferring the assets to the Ethereum network, and then used oracle manipulation to inflate the price of their ETH by exchanging it for unshETH.
unshETH is a DeFi project that aims to promote the decentralization of validators by creating a marketplace for staked ETH liquidity where validators compete for the best performance.
When making the above transaction, slippage, that is, the difference between the order of the transaction and its execution, is not valid. This means that the conversion of WETH to unshETH did not reflect fair market value.
The attacker then returned to the Ethereum network to steal another 230 WETH from the Rodeo vault.
Before returning to the Ethereum network, he sent 150 ETH to Tornado Cash and left 371 ETH in the wallet.
A total of 520 WETH were taken from the Rodeo vault, but only 472 WETH are considered losses. This is because the attacker topped up the wallet with 50 ETH to run the exploit.
PeckShield initially reported a loss of $1.5 million but later adjusted it to a loss of $888,000 due to double counting.
