💥 Arcadia Finance Exploited: $3.5M Stolen in Rebalancer Contract Hack

On July 15, 2025, Arcadia Finance became the latest DeFi project to fall victim to a smart contract exploit, resulting in the loss of $3.5 million in user funds. Here’s what happened, how the attacker executed the hack, and what it means for the DeFi space going forward.

🚨 What Happened?

In the early hours of July 15, an attacker exploited a critical vulnerability in Arcadia Finance’s Rebalancer contract, a tool that allows users to manage asset allocations across their portfolio.

Within minutes, the attacker drained approximately $2.5 million in stablecoins and other assets from Arcadia’s Base protocol vaults. Shortly after, a second attack followed, stealing an additional $1 million, bringing the total losses to over $3.5 million.

🧠 How the Exploit Worked

The exploit originated from a flaw in the swapData parameter of the Rebalancer contract.

The attacker passed arbitrary and malicious data into swapData.

This allowed the attacker to bypass validation checks and trigger unauthorized fund movements.

A custom malicious contract executed the swap, draining user vaults in under one minute.

🦹 Attacker Wallets & Fund Movements

The key wallet involved in the exploit:

0x0fa54E967a9CC5DF2af38BAbC376c91a29878615

Image 1 Source from Etherscan

Funds were bridged from Base Mainnet to ETH Mainnet

As of today, ETH remains at this wallet and no further movement initiated.

✅ Final Thoughts

The Arcadia hack underscores a painful truth: DeFi remains vulnerable without robust testing, on-chain monitoring, and swift incident response. As attackers grow more sophisticated, protocols must prioritize security as a feature, not an afterthought.

Stay safe. Revoke unnecessary permissions. And keep your eyes on the chain.