Hackers exploited a vulnerability in Arcadia Finance’s Rebalancer contract on Tuesday, draining approximately $2.5 million in cryptocurrency from the decentralized finance platform operating on Base blockchain.
The attackers manipulated arbitrary swapData parameters to execute unauthorized swaps that emptied user vaults, according to blockchain security firm Hacken.
The stolen funds, consisting primarily of 2.3 million USDC and 227,000 USDS tokens, were swapped to Wrapped Ethereum and bridged to the Ethereum mainnet within hours of the attack.
Source: Hacken on X
How The Attack Unfolds
The exploit began at 10:58 PM UTC on July 14, when the attacker funded their operation through Tornado Cash on Ethereum, followed by a bridging operation to Base 30 minutes later.
At 04:03 AM UTC on July 15, the malicious actor deployed their attack contract on Base and triggered the exploit within a single minute of deployment.
Multiple assets, including USDC, WETH, EURC, USDS, AERO, and WELL tokens, were systematically drained across several transactions and immediately converted to ETH.
Hacken identified that the vulnerability stemmed from the Rebalancer contract’s failure to properly validate swapData parameters, allowing the attacker to execute rogue swaps that bypassed normal security checks.
The attacker received 199 WETH and 965.8 million AERO tokens during the swap process, affecting 12 different addresses according to the security firm’s analysis.
All stolen funds were subsequently moved to fresh intermediary addresses on Ethereum in an apparent attempt to obscure the transaction trail.
The Arcadia Finance team acknowledged the breach in a statement on X, confirming “unauthorized transactions via a Rebalancer” and immediately instructing users to “remove all permissions for asset managers.”
The team provided specific guidance for users to access their account settings and revoke active Rebalancer permissions, including older rebalancers listed at the bottom of the modal.
Blockchain security firm Hacken reported that the stolen assets were bridged to Ethereum shortly after the attack, with the receiving transaction processing 839.3 WETH through the Across Protocol.
Escalating DeFi Security Concerns
This attack marks Arcadia Finance’s second major security incident, following a $455,000 hack in October 2023 that exploited insufficient input validation in the platform’s Ethereum and Optimism vaults.
The previous breach was caused by similar vulnerabilities in the protocol’s smart contract code, including a lack of reentrancy protection that allowed attackers to bypass internal health checks.
PeckShield had warned about additional code vulnerabilities following the 2023 incident, suggesting the platform’s security measures remained inadequate.
The timing of the Arcadia breach coincides with broader security challenges across the DeFi ecosystem, as CertiK reports over $2.47 billion in losses from 344 incidents during the first half of 2025.
Wallet-related breaches accounted for $1.7 billion across just 34 attacks, while phishing scams resulted in over $410 million stolen in 132 separate incidents.
Base blockchain, despite being backed by Coinbase and having recently launched a $5 million bug bounty program through Cantina, continues to face security challenges as institutional adoption accelerates.
The network’s rapid growth, including JPMorgan’s selection for its JPMD digital deposit token and Shopify’s USDC payment integration across 34 countries, makes security incidents particularly consequential for mainstream adoption.
The post Hackers Drain $2.5M from Arcadia Finance on Base Blockchain – Here’s What Happened appeared first on Cryptonews.
