At 04:05 AM UTC on July 15, an active exploit of a series of periphery contracts occurred. The exploiter abused the delegated powers of Arcadia Account owners on the rebalancer and compounder asset managers, resulting in a $3.6 million loss.
We're working with our security partners, white-hats and law enforcement to identify the exploiter and recover the lost funds. A recovery plan outlining next steps will be shared over the coming days. We remain available for any questions on Discord.
Following the above steps, a community discussion about potential reimbursement measures will be initiated on the governance forum.
This exploit is isolated to the Asset Manager contracts. Lending and Token contracts are not affected.
We urge anyone who interacted with the Asset Managers since Dec 4th 2024 to revoke all Asset Managers and any approvals of assets to any Arcadia Account.
You can disable the automations through your account overview, including any past enabled automations under “manage connections” within the automation settings.
July 14th 2025 - 09:22:03 AM UTC - Attacker Triggers Circuit Breakers The presumed exploiter deployed 2 malicious contracts through address 0xeF35e80Bd9e806A47d468f25CD38a1e63541caB4.
Contract 1: 0x87730d2c2A2D453d3E2248Fd7360D31FEf9c7f04
Contract 2: 0x35a717e88583B2CC1789912C92A57C202ae7d585
These contracts triggered the circuit breakers of the Arcadia Finance core protocol in real time when Contract 1 was deployed, thanks to a Hexagate alert. The protocol was fully paused at 09:22:13 AM UTC.
The team was notified straight away and assessed the deployed contracts by 0xeF35. Upon review by the core team, together with external security experts, these contracts in their current state were evaluated as very suspicious yet not harmful to the protocol and its users.
Simulations on forked networks were performed to mimic the state of the unpaused protocol and assess all possible function calls in the two contracts. No non-reverting actions were found and additional tests and deploy scripts to mimic these contracts were written to confirm additional vectors.
Simulations of all function calls on the malicious contracts in non-paused state: https://www.tdly.co/shared/simulation/bf611343-ccdd-4684-acd9-3ec62c95239a https://www.tdly.co/shared/simulation/a680d742-0225-4479-b4e7-b4bdceb43de8 https://www.tdly.co/shared/simulation/eb9a3f30-98aa-4308-8cf3-444080c6ccb5
After careful review the decision was made to unpause the majority of the protocol, keeping only borrows paused to mitigate any further attempts to exploit Arcadia lending pools.
July 14th 2025 - 13:05 AM UTC - Protocol Is Partially Unpaused
The unpause is executed, approximately 4 hours after the circuit breakers were triggered. After this unpause, the protocol remained locked for additional borrows, as the two deployed contracts had a vector entry into the lending pools. The team continued to write additional tests specific for any path these contracts touched.
The protocol pausing and unpausing played a significant role in the subsequent attack the next day. Arcadia is designed to be resilient against rogue developers and includes a mechanism to prevent developers from pausing the protocol indefinitely and locking all user funds. Only after a fixed “coolDownPeriod” can the protocol be paused again. During the “coolDownPeriod”, the protocol cannot be paused again, even if the circuit breaker is triggered by a new threat. The attacker used this mechanism to its advantage, his initial trigger of the circuit breakers acting as bait to lock the protocol into an unpaused state. This prevented the team from pausing the protocol, when the real attack began.