Arcadia Finance, a decentralized finance (DeFi) platform operating on the Base blockchain, suffered an exploit resulting in the theft of about $2.5 million in cryptocurrency.
The attacker exploited a vulnerability in Arcadia’s Rebalancer contract by abusing arbitrary swapData parameters, enabling a rogue swap that drained assets from user vaults, according to an alert from blockchain security company Cyvers.
In a report shared with Cointelegraph, Cyvers said the exploit unfolded on Tuesday at 04:05:58 UTC. The attacker deployed a malicious contract and triggered the exploit within a minute. The stolen tokens were then swapped to Wrapped Ethereum (WETH) on the Base network and bridged over to the Ethereum mainnet.
Cyvers flagged that all looted funds resided behind fresh intermediary addresses on Ethereum, indicating an attempt to obfuscate the trail through fragmentation and likely mixing or decentralized exchange (DEX) activity may come soon.
$2.5 million in USDC, USDS stolen
The stolen tokens included about 2.3 million USDC (USDC) and around 227,000 USDS, a $2.5 million loss. The attacker received 199 WETH and 965.8 million AERO tokens during the swap process, across 12 impacted addresses.
Cyvers recommended blacklisting the involved addresses on both Base and Ethereum, notifying major exchanges and bridges to halt inbound transactions and sharing suspicious activity reports with law enforcement.
In a Tuesday post on X, the Arcadia Finance team confirmed the exploit. “The team is aware of unauthorized transactions via a Rebalancer. Remove all permissions for asset managers. More information will follow,” the team said.
They asked users to revoke any permissions granted to rebalancers within Arcadia’s platform to minimize further risk.
$2.47 billion stolen in first half of 2025
The first half of 2025 has seen more than $2.47 billion in losses due to hacks, scams and exploits, representing a nearly 3% increase over the $2.4 billion stolen in 2024.
More than $800 million was lost across 144 incidents in Q2, a 52% decrease in value lost compared to the previous quarter, with 59 fewer hacking incidents, CertiK said in a report earlier this month.
Cointelegraph has reached out to Arcadia and will update this piece should we hear back.
Magazine: Coinbase hack shows the law probably won’t protect you — Here’s why
