Jul 2025 - Arcadia Finance Rebalancer swapData Delegated Power Abuse - $3.6m (Global)
Arcadia is a DeFi platform designed to simplify and optimize liquidity management across decentralized exchanges (DEXs) such as Uniswap, Aerodrome, and Alienbase. It enables users to manage, automate, and leverage liquidity positions with minimal effort through a unified interface. Users can compare yield opportunities across different pools and DEXs, select from curated strategies, and access top-performing token pairs—from major assets like ETH and BTC to trending memecoins. Arcadia supports a wide range of tokens and liquidity positions, making it accessible to both retail and institutional investors seeking yield and capital efficiency.
Arcadia offers a variety of advanced automated strategies with varying risk profiles and leverage options. These include Pseudo Delta Neutral strategies (ETH or USD-focused), Bullish or Bearish Crypto strategies, and more, with potential APYs ranging from around 30% to over 680%. Each strategy outlines leverage limits, supported pools, and risks such as interest rate volatility and liquidation. With one-click execution, users can borrow, swap, and provide liquidity simultaneously, enhancing yield while maintaining relative control over risk exposure. Tools also allow users to customize parameters like tick ranges and leverage for precision optimization.
The platform is audited by multiple firms (including Sherlock and bytes032), and is backed by leading investors like Coinbase Ventures and Mechanism Capital. Arcadia is trusted by a growing DeFi community for its intuitive UI, transparency, and responsive support. Institutions and large capital allocators can collaborate directly with Arcadia to develop tailored strategies and access deep liquidity. With no lockups or withdrawal fees, Arcadia is also a viable passive income source for lenders. The community continues to praise the protocol’s usability, risk controls, and continuous product improvement.
The exploiter seems to use arbitrary "swapData" on their rebalancer contract to execute the exploit.
Stolen tokens include 2.3M USDC, 227k USDS, plus an additional $1m USD worth of tokens.
Because the $1m USD happened subsequent to the other tokens, some sources report $2.5m USD being taken, while others report $3.5m USD.
Arcadia Finance originally posted a notice:
"The team is aware of unauthorized transactions via a Rebalancer. Remove all permissions for asset managers. More information will follow."
They provided instructions for users to disconnect their wallets and stop losing funds.
Warning showing up on the homepage:
"DISCONNECT REBALANCERS AND COMPOUNDERS FROM YOUR ACCOUNTS. We've detected unusual activity affecting automation features. Please disconnect all rebalancers and compounders from your account now. Also revoke access to all ERC20 tokens the account had access to."
Arcadia Finance offered the attacker a 12 hour window in which they could contact the team. Their post was highly threatening to the exploiter, and did not appear to offer a 10% bounty.
There is no indication that any funds have been recovered.
Arcadia Finance has introduced a bounty for information that leads to the recovery of the funds, with rewards up to $360,000 USD.
Further Analysis
Arcadia Finance, a DeFi platform known for its automated liquidity strategies, was exploited via its rebalancer contract, which allowed arbitrary "swapData" execution. The attacker stole approximately $3.5 million in assets, including 2.3M USDC and 227k USDS. In response, Arcadia issued urgent warnings for users to disconnect rebalancers and revoke token permissions, and later introduced a bounty of up to $360,000 for information leading to fund recovery. The platform initially gave the exploiter a 12-hour window to respond but did not offer a traditional bounty deal, and as of now, no funds have been recovered.
How Could This Have Been Prevented?
More Cryptocurrency Exchange Hacks/Scams/Frauds
BigONE Control Logic Changed To Withdraw Customer Funds > > < < Pundi AI Uninitialized ERC1967 Unauthorized Mint Vulnerability
Sources/Further Reading
Arcadia Finance - "We will allow the attacker a 12h grace period starting now to contact us, after which a bug bounty will be opened rewarding 10% of funds returned if the intel leads to a recovery." - Twitter/X (Dec 31)
Cyvers Alerts - "ALERT Today, our system has detected a multiple suspicious transaction involving @ArcadiaFi on #Base with loss of 2.5M." - Twitter/X (Dec 31)
Cyvers Alerts - "UPDATE @ArcadiaFi attacker has just executed another ~$1M from #arcadia in multiple transactions!" - Twitter/X (Dec 31)
Arcadia Finance Loses $2.5 Million in DeFi Exploit - AInvest (Dec 31)
Arcadia Finance exploited, $3.5M stolen and converted to WETH - CoinTelegraph (Dec 31)
$3.5 million exploit hits DeFi platform Arcadia on Base - The Block (Dec 31)
CertiK Alert - "We have detected multiple suspicious transactions on Base... The exploiter took ~$1.6M from @ArcadiaFi, likely through arbitrary 'swapdata' on its rebalancer contract." - Twitter/X (Dec 31)
First Attack Transaction - CertiK Skylens (Dec 31)
Second Attack Transaction - CertiK Skylens (Dec 31)
Arcadia Finance Hack - Revoke.Cash (Dec 31)
Arcadia Finance Hack 2025 – What We Know So Far - GetFailSafe (Dec 31)
Arcadia Finance Homepage (Dec 31)
Arcadia Finance - Fjord Foundry (Dec 31)
Arcadia Finance - Ethereum Ecosystem (Dec 31)
Competitors To Arcadia Finance - Messari (Dec 31)
How Arcadia Finance Integrates Virtual TestNets at Each Stage of Development - Tenderly Blog (Dec 31)
Arcadia Finance - LinkedIn (Dec 31)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|