Nazia Saeed
- Arcadia Finance lost $2.5 million in USDC and USDS due to a contract exploit
- Stolen assets were swapped to WETH and bridged from Base to Ethereum
- The incident adds to $2.47 billion in crypto losses reported in the first half of 2025
Arcadia Finance, a DeFi platform operating on the Base blockchain, suffered a $2.5 million exploit due to a vulnerability in its Rebalancer contract. According to blockchain security firm Cyvers, the attacker manipulated the contract’s swapData parameters, initiating a rogue swap that drained user vaults.
The exploit occurred on Tuesday at 04:05:58 UTC, with the attacker deploying a malicious contract and triggering the exploit within less than a minute. The stolen assets were immediately swapped to Wrapped Ethereum (WETH) and bridged over to the Ethereum mainnet.
Funds fragmented across intermediary addresses
Cyvers reported that all stolen funds are currently held behind fresh intermediary addresses on Ethereum. The distribution suggests a potential attempt at obfuscation, possibly through mixers or decentralized exchanges (DEXs) in the near future.
The attacker stole approximately 2.3 million USDC and 227,000 USDS, totaling $2.5 million. In the process, the attacker obtained 199 WETH and 965.8 million AERO tokens across 12 impacted addresses.
Cyvers recommended that exchanges, bridges, and infrastructure providers blacklist the related wallet addresses on both Base and Ethereum networks and notify law enforcement to prevent further laundering.
Arcadia confirms exploit, urges users to revoke permissions
In a Tuesday post on X, the Arcadia Finance team confirmed the exploit and advised users to revoke permissions granted to asset managers and rebalancers on the platform.
“The team is aware of unauthorized transactions via a Rebalancer. Remove all permissions for asset managers. More information will follow,” the team said.
The announcement urged caution and preventive measures to minimize additional risks.
Crypto hacks total $2.47 billion in H1 2025
The Arcadia incident adds to a troubling trend. According to data from CertiK, the first half of 2025 has seen over $2.47 billion stolen through hacks, scams, and exploits a 3% increase from the $2.4 billion lost in 2024.
In Q2 2025 alone, over $800 million was stolen across 144 incidents, though the total value lost decreased by 52% compared to Q1. The report also recorded 59 fewer hacking cases, indicating that while frequency declined, large-scale vulnerabilities remain a significant threat in DeFi.
