Decentralized finance (DeFi) protocol Arcadia Finance was attacked for approximately $3.5 million due to a vulnerability discovered in the "Rebalancer" smart contract on the Base blockchain. This incident marked the platform's second major security breach, following a $455,000 hack last year.
The attack was first detected by blockchain security firm Certik on the morning of July 15th. Certik announced that they detected suspicious transactions on the Base network and that the attacker initially seized approximately $1.6 million worth of assets. As time went by, the extent of the damage grew, reaching a total loss of $3.5 million.
What is behind the Arcadia Finance attack?
The attack stemmed from the improper validation of the swapData parameter in Arcadia's "Rebalancer" contract. According to a statement by security firm Hacken, the attackers exploited this vulnerability to execute unauthorized transactions and drain user funds. The seized assets included 2.3 million USDC, 227,000 USDS, and various amounts of WETH, EURC, AERO, and WELL tokens.
The attacker began their operation by anonymously transferring funds via Tornado Cash on the Ethereum network. These funds were then bridged to the Base network, the attack contract was deployed, and exploitation operations were initiated within seconds. The obtained cryptocurrencies were converted to Wrapped Ethereum (WETH) and moved to the Ethereum mainnet. During this process, the attacker transferred 199 WETH and approximately 965 million AERO tokens. These transactions were spread across 12 different wallet addresses, making them difficult to trace.
The Arcadia Finance team confirmed the attack in a statement on social media platform X, warning users to remove all asset manager permissions. They also recommended immediately disconnecting Rebalancer and Compounder connections.
This latest incident has once again highlighted concerns about security vulnerabilities in the DeFi sector. In the first half of 2025, a total of $2.47 billion in losses were reported across just 344 incidents. Of these losses, $1.7 billion resulted from direct wallet attacks and $410 million from phishing attacks.
Arcadia's operations on the Base network were shaped by the support of major investors like Coinbase Ventures. Each attack is critical to DeFi's institutional adoption, especially as enterprise-focused blockchains like Base integrate with major names like JPMorgan and Shopify.
