Arcadia Finance has been hit by a $3.5 million exploit involving cross-chain transactions on Base and Ethereum, reigniting concerns over decentralized finance vulnerabilities.
Major Exploit Hits Arcadia Finance
Decentralized finance (DeFi) protocol Arcadia Finance has fallen victim to a significant security breach, losing over $3.5 million in crypto assets in a series of exploits that unfolded on July 15, 2025. The incident marks one of the latest in a string of high-profile DeFi attacks this year, intensifying market anxiety around cross-chain bridge vulnerabilities.
The exploit was flagged by blockchain analytics firm Cyvers, which reported that the attacker deployed a malicious smart contract early Tuesday morning. Within a minute, the attacker triggered the exploit, siphoning funds amounting to around $2.5 million from Arcadia’s vaults. The stolen tokens were rapidly swapped for Wrapped Ethereum (WETH) on the Base network before being bridged over to the Ethereum mainnet.
Funds Laundered Through Intermediary Addresses
According to Cyvers, the attacker attempted to conceal the stolen assets by routing them through fresh intermediary Ethereum addresses. This tactic, commonly used by exploiters, is designed to fragment the stolen funds and obscure the transaction trail. Analysts warned that the funds could soon be mixed or moved through decentralized exchanges (DEXs), complicating recovery efforts.
The Arcadia Finance team confirmed the incident via a post on X.com, stating:
“The team is aware of unauthorized transactions via a Rebalancer. Remove all permissions for asset managers. More information will follow.”
The protocol also urged users to revoke permissions for active rebalancers and announced that $2.5 million in reimbursement funds had been temporarily allocated to support affected users.
Second Attack Deepens Losses
Following the initial breach, Cyvers revealed that Arcadia suffered a secondary exploit. The attacker successfully extracted an additional $1 million in several transactions, pushing total losses to $3.5 million. The compromised tokens included approximately 2.3 million USDC, 227,000 USDS, 199 WETH, and over 965 million AERO tokens across 12 addresses.
Arcadia’s smart contracts have since been paused, with the team collaborating with security firms and law enforcement agencies to investigate the breach.
The protocol stated:
“We will continue to work with our security partners, law enforcement, and the broader community to resolve this as best we can. Our number one priority is recovering funds for Arcadia protocol users.”
Recurring Vulnerabilities and Market Impact
The latest exploit comes amid a concerning uptick in DeFi-related thefts. According to recent data, the first half of 2025 has recorded over $2.47 billion in losses from hacks, scams, and exploits, which is almost a 3% increase from the $2.4 billion stolen in 2024.
Researchers at Coincu suggest that recurring incidents like this may prompt stricter oversight and encourage protocols to adopt more robust cross-chain and smart contract security frameworks.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice
