'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Bug bounty 
Triaged by HackenproofArcadia Finance Hack Recovery Program: Program info
Arcadia Finance Hack Recovery Program
Company: Arcadia Finance
KYC required POC required July 15, Arcadia Finance, a liquidity management platform for decentralized crypto exchanges, was exploited, resulting in a loss of about $3.6 million in crypto assets. The hackers targeted one of the platform’s key features, the rebalancer on the Base network.
Focus Area
Arcadia Finance Hack Bounty Program
Introduction
On July 15 2025, Arcadia Finance, a liquidity management platform for decentralized crypto exchanges, was exploited, resulting in a loss of about $3.6 million in crypto assets. The hackers targeted one of the platform’s key features, the rebalancer on the Base network. A 10% reward will be granted if the information provided leads to the recovery of stolen funds. Anyone with relevant intel — including names, locations, or verifiable evidence — is encouraged to contact us.
Timeline and Initial Steps Taken
July 14th 2025 - 09:22:03 AM UTC - Attacker Triggers Circuit Breakers
The presumed exploiter deployed 2 malicious contracts through address 0xeF35e80Bd9e806A47d468f25CD38a1e63541caB4.
Contract 1: 0x87730d2c2A2D453d3E2248Fd7360D31FEf9c7f04
Contract 2: 0x35a717e88583B2CC1789912C92A57C202ae7d585
These contracts triggered the circuit breakers of the Arcadia Finance core protocol in real time when Contract 1 was deployed, thanks to a Hexagate alert. The protocol was fully paused at 09:22:13 AM UTC.
The team was notified straight away and assessed the deployed contracts by 0xeF35. Upon review by the core team, together with external security experts, these contracts in their current state were evaluated as very suspicious yet not harmful to the protocol and its users.
Simulations on forked networks were performed to mimic the state of the unpaused protocol and assess all possible function calls in the two contracts. No non-reverting actions were found and additional tests and deploy scripts to mimic these contracts were written to confirm additional vectors.
Simulations of all function calls on the malicious contracts in non-paused state:
https://www.tdly.co/shared/simulation/bf611343-ccdd-4684-acd9-3ec62c95239a
https://www.tdly.co/shared/simulation/a680d742-0225-4479-b4e7-b4bdceb43de8
https://www.tdly.co/shared/simulation/eb9a3f30-98aa-4308-8cf3-444080c6ccb5
After careful review the decision was made to unpause the majority of the protocol, keeping only borrows paused to mitigate any further attempts to exploit Arcadia lending pools.
July 14th 2025 - 13:05 AM UTC - Protocol Is Partially Unpaused
The unpause is executed, approximately 4 hours after the circuit breakers were triggered. After this unpause, the protocol remained locked for additional borrows, as the two deployed contracts had a vector entry into the lending pools. The team continued to write additional tests specific for any path these contracts touched.
The protocol pausing and unpausing played a significant role in the subsequent attack the next day. Arcadia is designed to be resilient against rogue developers and includes a mechanism to prevent developers from pausing the protocol indefinitely and locking all user funds. Only after a fixed “coolDownPeriod” can the protocol be paused again. During the “coolDownPeriod”, the protocol cannot be paused again, even if the circuit breaker is triggered by a new threat. The attacker used this mechanism to its advantage, his initial trigger of the circuit breakers acting as bait to lock the protocol into an unpaused state. This prevented the team from pausing the protocol, when the real attack began.
July 15th 2025 - 04:05 AM UTC - Attacker Starts His Exploit
At 04:05 AM July 15th, exploiter 0x0fa54E967a9CC5DF2af38BAbC376c91a29878615 began a series of transactions that led to the eventual exploit as detailed further.
The team was notified at 04:05 AM when the malicious contract was deployed thanks to a Hexagate alert. But even though this tried to trigger the circuit breakers, due to the pause-unpause limitation, the protocol could not be sufficiently paused to prevent stolen funds.
SEAL Alliance was contacted at 04:25 AM and our security partners where brought up to speed while the root cause was actively investigated.
At 04:25 AM, an initial message from the core team was sent on Discord urging users to revoke permissions to asset managers. Direct messages were sent to users of whom the core team knew their accounts might be at risk, followed by a general message on X at 04:57 AM.
The team decreased asset exposures to zero, causing the attackers current flow of exploit transactions to be momentarily halted. However, the attacker adapted his exploit transactions to circumvent this measure.
At 10:36 AM, an initial message was sent to the exploiter, offering a 10% white-hat bounty upon returning the funds within 24 hours, and offering a public bounty for that amount after.
The exploiter currently holds $3.6m in ETH, on ETH Mainnet and Base.
Root Cause
The exploit worked as follows:
The attacker created a number of Arcadia Accounts, which were used as his attack base. https://basescan.org/tx/0xeb1cbbe6cf195d7e23f2c967542b70031a220feacca010f5a35c0046d1a1820a
The attacker then combined a series of functions in a flashaction to interact with his Accounts, with the Rebalancer contracts and with Morpho:
- The attacker takes three Morpho flashloans of approx $1.5 billion.
- The attacker links the Asset Manager to his account, with himself set as the initiator.
- The attacker creates a small LP position.
- The attacker repays all the debt of the victim account using the Morpho flashloans.
- The attacker triggers a rebalance for his own LP position, injecting custom calldata.
- Instead of rebalancing through a DEX aggregator, the attacker uses the custom calldata to abuse a missing validation and call the victim Arcadia Account from within the Asset Manager, as if the Asset Manager itself called it.
- The attacker, after calling the victim Account, was able to withdraw the position, decompose it, and steal owner funds.
- Since the target Account had no open debt anymore, the Account ended in a healthy state, causing the transaction to succeed instead of triggering a failsafe.
- Part of the stolen funds are swapped to repay the flashloans.
- The remaining funds stay on the attackers contract, which he can withdraw in a separate transaction.
https://dashboard.tenderly.co/tx/0x06ce76eae6c12073df4aaf0b4231f951e4153a67f3abc1c1a547eb57d1218150 Example transaction
The Attack in more detail.
The root cause of the exploit is the fact that the malicious attacker could hijack the msg.sender of the Asset Manager to call a target Arcadia Account, who had set the Asset Manager as allowed asset manager.
To mitigate this vulnerability, a check should have been performed that the router is not an Arcadia Account. Or even better, the swap via a router should have been called from an intermediate smart contract, that has no permissions anywhere on Arcadia Contracts.
References
- unpause: https://basescan.org/tx/0x38b744e967e6d6ed8870619ac2f35b6d5612a396eaf3ba981ed754c7395c310d#eventlog
- pause: https://basescan.org/tx/0x23c3796c42dbca0148975729a5f2dddf539c4c7a8284289e12190fbd5a6c091b
- contact initiation: https://basescan.org/tx/0x97cdd4a7ec02088b63291a1484d275f6e9279eac972ea069637a060e72b6362b https://etherscan.io/tx/0xb1025d7313de0283b1a9cae514e207541d4f45bbc1cf2800f6e3aba0a35b878b
- Exploiter: https://basescan.org/address/0x0fa54e967a9cc5df2af38babc376c91a29878615
- Possible connected wallet ( triggered pause mechanism ): https://basescan.org/address/0xeF35e80Bd9e806A47d468f25CD38a1e63541caB4
- contract deployment that triggered guardians: https://basescan.org/tx/0x0b2b055a4900a8b6c1f21e7c188811e0d67ead3eaa6f7c2c5242f0d4817b32e0
Legal & Ethical Considerations
- All submitted intelligence must comply with applicable laws and ethical standards.
- Do not engage in unauthorized access, exploitation of systems without consent, or any activity that violates the law.
- Reports must not include personally identifiable information (PII) obtained through unlawful or unethical methods.
- Rewards are subject to internal verification and compliance review.
- High-value rewards may require Anti-Money Laundering (AML) and Know Your Customer (KYC) verification.
Rewards '%3e%3cpath%20d='M3%2021H24V24H0V0H3V21ZM6.75%2019.5C6.44587%2019.5006%206.14477%2019.4396%205.8649%2019.3205C5.58502%2019.2015%205.33219%2019.027%205.12167%2018.8075C4.91115%2018.588%204.74731%2018.3281%204.64006%2018.0435C4.5328%2017.7589%204.48436%2017.4555%204.49766%2017.1517C4.51095%2016.8478%204.58571%2016.5498%204.71741%2016.2757C4.84911%2016.0015%205.03502%2015.7569%205.2639%2015.5567C5.49279%2015.3564%205.7599%2015.2046%206.0491%2015.1105C6.3383%2015.0164%206.64358%2014.9818%206.9465%2015.009L9.3645%2010.9785C9.1434%2010.639%209.0181%2010.246%209.00182%209.84115C8.98554%209.43629%209.07888%209.03455%209.272%208.67835C9.46512%208.32215%209.75084%208.02471%2010.099%207.81743C10.4472%207.61016%2010.8448%207.50074%2011.25%207.50074C11.6552%207.50074%2012.0528%207.61016%2012.401%207.81743C12.7492%208.02471%2013.0349%208.32215%2013.228%208.67835C13.4211%209.03455%2013.5145%209.43629%2013.4982%209.84115C13.4819%2010.246%2013.3566%2010.639%2013.1355%2010.9785L15.5535%2015.009C15.6682%2014.9987%2015.7836%2014.9977%2015.8985%2015.006L19.8915%208.019C19.6046%207.59868%2019.4686%207.0935%2019.5058%206.58594C19.543%206.07837%2019.7511%205.59841%2020.0963%205.22442C20.4415%204.85043%2020.9032%204.60449%2021.4062%204.52678C21.9091%204.44906%2022.4236%204.54415%2022.8655%204.79653C23.3075%205.0489%2023.6508%205.44364%2023.8395%205.91631C24.0281%206.38897%2024.051%206.91163%2023.9043%207.39896C23.7576%207.88628%2023.45%208.30948%2023.0317%208.59945C22.6135%208.88942%2022.1093%209.02903%2021.6015%208.9955L17.6085%2015.9825C17.8379%2016.319%2017.9717%2016.7114%2017.9956%2017.118C18.0195%2017.5245%2017.9326%2017.9299%2017.7442%2018.291C17.5558%2018.652%2017.2729%2018.9552%2016.9258%2019.1681C16.5786%2019.381%2016.1802%2019.4957%2015.7729%2019.4999C15.3657%2019.5041%2014.965%2019.3978%2014.6134%2019.1922C14.2619%2018.9865%2013.9728%2018.6893%2013.7769%2018.3323C13.581%2017.9753%2013.4857%2017.5717%2013.5011%2017.1648C13.5165%2016.7578%2013.6421%2016.3627%2013.8645%2016.0215L11.4465%2011.991C11.3158%2012.0031%2011.1842%2012.0031%2011.0535%2011.991L8.6355%2016.0215C8.85679%2016.3611%208.98226%2016.7541%208.99864%2017.159C9.01503%2017.564%208.92172%2017.9659%208.72858%2018.3222C8.53544%2018.6785%208.24963%2018.9761%207.90137%2019.1834C7.5531%2019.3907%207.1553%2019.5001%206.75%2019.5Z'%20fill='%23050505'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2777_6507'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Stats