Rodeo Finance

Quick Summary

Rodeo Finance, a Yield Protocol on Arbitrum, was exploited through an oracle issue causing a loss of 1,690,000 $USD.




Details of the Exploit

Rodeo Finance was hit by an exploit resulting in a loss of approximately $880k stolen from the lending pool. Although the total
impact was $1.7M, around $810k was recovered. The exploit occurred due to a sandwich attack on one of the oracles meant to be twap
for Camelot's Uniswap v2 pools during its price update. This led to an inflation in the price, which enabled the hacker to borrow
from the lending pool and swap all to the said token. The hacker arbitraged the DEX pool back to its normal price. The remaining
~810k left in the Rodeo farm used for the attack was subsequently recovered.




Block Data Reference

Ethereum:

Attacker Address:

https://etherscan.io/address/0x2f3788f2396127061c46fc07bd0fcb91faace328

Staking Transaction:

https://etherscan.io/tx/0x114c656122d0b2837376d2ed03190c7f287c32e43e6a783e0a27696d32bc65db

TornadoCash Transfer Transaction:

https://etherscan.io/tx/0xadc1c04b06f3758cb9defe5084223637422761856f08d20ac4b0d0f113a2f603




Arbitrum:

Attacker Address:

https://arbiscan.io/address/0x2f3788f2396127061c46fc07bd0fcb91faace328

Malicious Transactions:
https://arbiscan.io/tx/0xdbcb308232f15ab572305aba4e4821579c3a46ee71f3096acf1ed99afe089ef1

https://arbiscan.io/tx/0xb1be5dee3852c818af742f5dd44def285b497ffc5c2eda0d893af542a09fb25a

https://arbiscan.io/tx/0x3942760f2a8f6cf9f0289e2b8061d944f6e252d43cf733ec7987125b97c3de0b