Arcadia Finance Hack

On July 15, 2025, Arcadia Finance—a DEX liquidity management protocol on Base—lost $3.6M in a multi-stage exploit exploiting unchecked swapData in RebalancerSpot.rebalance, allowing arbitrary router calls that hijacked privileges via msg.sender spoofing. The attacker, funded via Tornado Cash, deployed malicious contracts on July 14 to trigger cooldowns disabling circuit breakers; on July 15, they flash-loaned $1.5B from Morpho Blue, repaid victim debts to bypass health checks, injected a malicious router to withdraw LP NFTs from whitelisted accounts, and drained positions for $3.6M profit bridged via Across. Dedaub’s postmortem flagged the CPIMP proxy vector, but core flaw was external call trust in SwapLogic._swapViaRouter without router validation. Arcadia paused markets, pursued recoveries with HackenProof ($100k bounty), and Nexus Mutual paid $250k claims; team unpaused after fixes, but TVL dropped 80%. This OWASP SC06 unchecked call—gamed over two days—exposes cooldown risks as attack vectors, urging router allowlists, context separation for privileged ops, and pre-deployment simulations to thwart $3.6M manipulations amid 2025’s $2.3B hack wave.