On July 14th, 2025, the Arcadia protocol suffered an exploit resulting in user funds being stolen by an unknown hacker. The vulnerability at the root of this exploit was detailed in Arcadia: Post Mortem 14-07-2025
Following a careful analysis, the Arcadia team has formulated a multi-pronged approach to patch the vulnerability and significantly improve upon the protocol’s security measures.
Below we outline an initial set of changes to be rolled out in the medium to short term. These contribute to a more robust architecture and include:
Patch the vulnerability and add circuit breakers to asset managers. Work on Asset Managers V2.1 is finished and currently being audited.
Instead of relying on input validation of the router address (with white- and blacklist), the Asset Manager does not call the router directly but forwards router calls to a dedicated non-privileged contract, further referred to as the Router Trampoline.
For any swap via a router, the Asset Manager forwards the maximum amount of tokenIn to the Router Trampoline, which executes the actual swap.
After the swap, the Router Trampoline sends its full balance of tokenOut (and any leftover tokenIn) back to the Asset Manager.
Each Asset Manager comes equipped with separate circuit breakers and no cooldown period, allowing immediate isolation of suspicious Asset Managers.
Since Asset Managers never hold user funds, a cooldown period can be safely removed without posing a risk to locking up user funds indefinitely.
Accounts v2 introduces additional security layers which can mitigate the impact of, or completely prevent, similar vulnerabilities in Asset Managers.