Decoding Rodeo Finance Hack

Decoding Rodeo Finance Hack

Decoding Rodeo Finance Hack

Decoding Rodeo Finance Hack

Decoding Rodeo Finance Hack

Read Time: 4 minutes

Summary:

On the 11th of July 2023, the Rodeo Finance on the Arbitrumchain was attacked. The attack was made possible by a Price Oracle Manipulation vulnerability. And around 472ETH  was stolen by the hackers from the exploit.

About Project:

Rodeo is a DeFi protocol that allows users to earn a yield on a diverse range of managed and passive investment strategies. To learn more about them, check out their documentation.


Vulnerability Analysis & Impact:

On-Chain Details:

Attacker Address:  0x2f3788F2396127061c46fC07BD0fcb91faAcE328

Victim Contract:  0xE9544Ee39821F72c4fc87A5588522230e340aa54

Attack Transaction: 0x98f1e234faac8b7f7ceaffe4e8e0581038678d95710b646db45ec3de47e6c3af

The Root Cause:

  • The attacker was able to force the platform to swap $USDC to $unshETH through the earn() function with the unconfigured strategy address.
  • The root cause of this exploit is the bad implementation of TWAP Oracle. It uses ETH to unshETH reserve ratio for price.
  • In the case of stableswap pool like this, the reserve ratio can go towards any single side.
    This will amplify the price of ETH from the oracle.
  • TWAP price is calculated by averaging the last 4 instances of updated price where each price updation occurs every 45 minutes. 
  • In this way, the contracts of Rodeo Finance will utilize this faulty price.
  • Under normal circumstances, the price impact should have left a small amount of output tokens, but that did not happen as the contract was forced to believe that the position is healthy.
  • In the end, the contract checks whether the execution is valid or not 
  • Since attacker can control this strategy, this check got bypassed 
  • Finally, the attacker was able to arbitrage the bad position by selling prepared unshETH back to the pool, taking the liquidity from the platform in the previous steps.

Attack Process:

  • Manipulate the TWAP oracle by sandwiching the ‘update’.
  • Open a leveraged position by calling Investor.earn() function and borrow $400k USDC
  • Swap the assets into the underlying CamelotDEX pool.
  • Sell the prepared unshETH back to the pool. 

Flow of Funds:

The exploiter has bridged the stolen funds from Arbitrum to Ethereum, swapped 285 ETH for unshETH and deposited them to Ankr: ETH2 Staking, and transferred 150 ETH to Tornado Cash.

Complete resolution image here.

Attacker’s Wallets:

Here is a snippet of the attacker’s wallet. Check the complete details here.


After the Exploit

The Project acknowledged the hack via Twitter.

Incident Timelines

11-07-2023 (07:45:25 AM + UTC) – A suspicious activity was spotted on Rodeo Finance Contracts.

11-07-2023  (07:59:35 AM +UTC) – Exploiter swapped  285 unshETH .

11-07-2023 (08:13:59 AM +UTC) – Exploiter deposited 150  Ether to Tornado.Cash with a transaction fee of 0.015 Ether

Price Impact

The price of the RDO token dropped from $0.2 to $0.08 immediately following the attack. It is currently trading at $0.1 as of the time of writing this blog. See here.


How could they have prevented the Exploit?

The Exploit could have been prevented if Price Oracle had been correctly implemented.

Oracle should not rely on the ratio of both tokens to calculate the final price.

Also, multiple oracles should be used for price queries.

The best way to enhance platforms security is by using the service of a robust decentralized oracle such as Chainlink or by aggregating many different price feeds.

Web3 security- Need of the hour

Why QuillAudits For Web3 Security? QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions, saving millions in funds.

Want more Such Security Blogs & Reports?

Connect with QuillAudits on :

Linkedin | Twitter | Website | Newsletter | Discord | Telegram

Partner with QuillAudits :

2,184 Views

Blockchain for dog nose wrinkles' Ponzi makes off ~$127M🐶

Project promised up to 150% returns on investment in 100 days, raising about 166.4 billion South Korean won — or about $127 million — from 22,000 people.

Latest blogs for this week

Understanding Fuzzing and Fuzz Testing: A Vital Tool in Web3 Security

Read Time: 5 minutes When it comes to smart contracts, ensuring the robustness and security of code is paramount. Many techniques are employed to safeguard these contracts against vulnerabilities
Read More

How EigenLayer’s Restaking Enhances Security and Rewards in DeFi

Read Time: 7 minutes Decentralized finance (DeFi) relies on Ethereum staking to secure the blockchain and maintain consensus. Restaking allows liquid staking tokens to be staked with validators in
Read More

ERC 404 Standard: Everything You Need to Know

Read Time: 7 minutes Introduction Ethereum has significantly shaped the crypto world with its introduction of smart contracts and decentralized applications (DApps). This has led to innovative developments in
Read More

DNS Attacks:  Cascading Effects and Mitigation Strategies

Read Time: 8 minutes Introduction DNS security is vital for a safe online space. DNS translates domain names to IP addresses, crucial for internet functionality. DNS ensures unique name-value
Read More

EIP-4844 Explained: The Key to Ethereum’s Scalability with Protodanksharding

Read Time: 7 minutes Introduction  Ethereum, the driving force behind dApps, has struggled with scalability. High fees and slow processing have limited its potential. They have kept it from
Read More

QuillAudits Powers Supermoon at ETH Denver!

Read Time: 4 minutes Calling all the brightest minds and leaders in the crypto world! Are you ready to build, connect, and innovate at the hottest event during ETH
Read More

Decoding the Role of Artificial Intelligence in Metaverse and Web3

Read Time: 7 minutes Introduction  Experts predict a transformative shift in global software, driven by AI and ML, marking the dawn of a new era. PwC predicts AI will
Read More

Transforming Assets: Unlocking Real-World Asset Tokenization

Read Time: 7 minutes In the blockchain, real-world assets (RWAs) are digital tokens that stand for tangible and conventional financial assets, including money, raw materials, stocks, and bonds. As
Read More
Scroll to Top

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:

1

Refer QuillAudits to Web3 projects for audits.

2

Earn rewards as we conclude the audits.

3

Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $200K+