ArcadiaFi: Arbitrary swapData call via trusted rebalancer contract — attacker exploited cooldown period from decoy pause to prevent emergency shutdown during drain
ArcadiaFi lost $3.6M when an attacker exploited a two-phase strategy: first triggering the protocol's own circuit breaker to start a cooldown timer, then draining user vaults through an arbitrary call in the rebalancer while ArcadiaFi was unable to pause.
Summary #
ArcadiaFi suffered a DeFi Vault / Structured Products on 2025-07-14, resulting in a loss of approximately $4M.
What happened #
ArcadiaFi lost $3.6M when an attacker exploited a two-phase strategy: first triggering the protocol's own circuit breaker to start a cooldown timer, then draining user vaults through an arbitrary call in the rebalancer while ArcadiaFi was unable to pause.
Linked factors #
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-008 — illustrative : Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited but rebalancer external call validation missed]
- RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — the forced pause/unpause cycle was the setup]