Hack of Arcadia Finance and theft of 3.5 million dollars and conversion to WETH
Date and Place: The hack occurred on July 15, 2025, on the Layer 2 blockchain Base, developed by Coinbase.
Reason: The hacker targeted the "Rebalancer" contract on the platform, exploiting a vulnerability in the "swapData" permission to submit unauthorized transfer orders.
Loss Amount: A total value of 3.5 million dollars was stolen, after two exploits:
Initially, assets worth about 2.5 million dollars were stolen (including 2.3 million USDC and USDS tokens), and exchanged for 199 WETH with 965.8 million AERO tokens.
Then an additional theft of approximately 1 million dollars in subsequent transactions.
How the funds were handled: After the hack, WETH (~840 ETH according to some estimates) and its bridges were transferred to the main Ethereum network, through several addresses to obfuscate the transfer trail.
Arcadia's Reaction: The platform suspended the affected contracts and requested users to withdraw permissions for "Rebalancer" and "Asset Manager" to prevent any further unauthorized transactions.
Security Recommendations: Security companies like Cyvers, Certik, and Hacken, as well as the platform itself, urged to blacklist the involved addresses, notify bridge banks, and pursue legal actions with authorities.
