Rodeo Finance, a DeFi protocol on Arbitrum, seemingly fell victim to a oracle manipulation attack on Tuesday, with the perpetrator making off with about 472 ether ($888,000), the latest in a series of recent crypto exploits.
Blockchain security firm PeckShield, which initially detected the incident, conducted further analysis of on-chain data. Its analysis indicates that the attacker transferred the ill-gotten gains from Arbitrum to Ethereum. They then exchanged the stolen tokens for various other assets before converting them back to ether. The final stage of the exploit saw the ether being routed through Tornado Cash, a popular transaction mixer on the Ethereum network, effectively obfuscating the trail of funds.
The Rodeo Finance team has not yet issued a response or statement regarding the incident.
Igor Igamberdiev, the head of research at Wintermute, told The Block the attack was a “TWAP oracle manipulation.” In the DeFi realm, TWAP, or Time-Weighted Average Price, serves as an oracle to calculate the average price of an asset over a specific time frame. This method is typically employed to mitigate the effects of brief spikes in price volatility.
DeFi hackers manipulate TWAP oracles by artificially skewing the calculated average price of an asset to gain an undue advantage during a transaction. Such manipulation paves the way for several forms of attacks, flash loan exploits being one of them. In such an exploit, the attacker borrows a vast sum of a certain asset, devalues it via TWAP oracle manipulation, and then acquires more of the same at the artificially depreciated price. Upon repaying the loan, the attacker retains the surplus, thereby profiting from an elaborate manipulation scheme.
Complex maneuvers like these have over the last few years become tools for hackers who manipulate oracle price data feeds to execute exploits, as seen in the case of Rodeo Finance. The Rodeo exploit is not an isolated occurrence, rather it is part of a trend that has been plaguing the Arbitrum ecosystem over the past few months.
In April, Sentiment, another DeFi protocol running on Arbitrum, lost $1 million to a hacker. This was followed by an even larger security breach in May, where the Jimbos protocol was stripped of a staggering $7.5 million.
The 'ForceInvestment' incident
Speaking with The Block, PeckShield provided insights into the specifics of the attack. According to its analysis, the Rodeo Finance hack, is referred to as a “ForceInvestment” hack.
The firm said there was a critical flaw in Rodeo Finance’s “Investor.earn()” routine, designed to swap USDC for wrapped ether (WETH) and then for another liquid staking token called unshETH. The anticipated slippage control, meant to prevent excessive price deviation during a transaction, did not function correctly due to an erroneous unshETH price oracle.
The oracle in question, based on the Time-Weighted Average Price (TWAP) methodology, calculated its price data using the reserve of the WETH/unshETH pair. Due to the low liquidity of these reserves, the price of unshETH experienced substantial fluctuations.
Further exacerbating the situation was the significant discrepancy between the oracle-reported unshETH price and its expected value. The oracle cited the price of unshETH at $4219, whereas its typical rate compared to WETH should have placed it around $1880. This discrepancy facilitated the hacker’s ability to manipulate trades, profiting from a system loophole while the protocol’s slippage controls failed to intervene.
The total lost sum from the hack was amended in the headline, along with the addition of further details throughout the article.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.