Arcadia Finance, known for its automated liquidity management protocol, faced a massive exploit on July 15, 2025. The protocol, deployed on the Base chain, lost around $3.5 million after a critical input validation flaw was exploited by an attacker.
What Went Wrong?
At the heart of the exploit was the rebalance function in Arcadia’s smart contract. This function allowed users to manage their liquidity positions flexibly. However, it lacked strict validation checks for certain inputs, especially the swapData parameter, opening a door for attackers.
The attack began with a large flash loan of 5,623 WETH and 9,968 cbBTC. Using this, the attacker cleverly set themselves as the asset manager by invoking the setAssetManager function, a feature available for normal users. Once in control, they could trigger sensitive functions like flashAction().
The attacker then minted an LP NFT with a minimal amount of assets and even repaid a debt on behalf of the victim contract to bypass the system’s health check mechanism. By doing this, they ensured their malicious actions wouldn’t immediately revert.
The Exploit Flow
With the groundwork set, the attacker called the rebalance function on the RebalancerSpot contract. This function accepted a maliciously crafted swapData payload. Through a series of function calls enabled by this data, the attacker executed a flash action that allowed them to withdraw various NFT LP positions tied to Arcadia.
Once withdrawn, they drained these positions by removing liquidity — walking away with substantial profits.
The Root Cause
The real issue lay in the unchecked input of the rebalance function and the chained internal function calls that followed.
- The malicious swapData wasn’t validated.
- This led to internal calls like _swap() and executeAction() trusting and executing harmful logic.
- The attacker used this loophole to extract LP positions and empty them.
In simple terms, Arcadia’s contracts were too trusting of user-supplied data, an oversight that cost them millions.
Aftermath
The attacker funded their operations via Tornado Cash and later bridged 1,203 ETH from Base to Ethereum using Across Protocol. Despite the Arcadia team reaching out, recovery efforts showed no success.
Want to know how this hack unfolded in detail?
We’ve broken down the full attack flow, fund movement, and key security lessons in our detailed analysis :
👉 Read the Full Analysis on Arcadia Finance Exploit
Crypto Hacks in 2025: A Growing Concern
The Arcadia exploit is just one among many high-profile attacks that shook the Web3 space in 2025. In fact, over $2.3 billion was lost to various exploits in the first half of the year alone. Access control flaws, social engineering and unchecked input validations topped the list of attack vectors.
If you want a deeper dive into these trends and key security insights, check out our 2025 H1 Crypto Exploits & Security Breaches Report.
Don’t Let Input Validation Flaws Drain Your Protocol!
Arcadia’s $3.5M exploit highlights a classic yet dangerous oversight, failing to validate critical input data. At QuillAudits, we help projects spot such vulnerabilities before attackers do, with in-depth audits and a multi-layered review framework.
Top comments (0)