Skip to main content

Arcadia Finance: The Arbitrary SwapData Rebalancer Exploit (July 2025)

On July 15, 2025, Arcadia Finance, a margin-lending and account-management protocol on the Base network, was hit by a major exploit totaling approximately $3.6 million. The vulnerability was a textbook failure of Input Validation within a delegated execution component—the "Rebalancer."

Technical Overview

Arcadia Finance utilizes user-controlled "accounts" or "vaults" where collateral is held. To maintain target leverage or portfolio balance, the protocol allows a Rebalancer contract to execute swaps on behalf of the user. To facilitate this, the rebalancing function accepted a swapData parameter, which was intended to contain encoded call instructions for a Decentralized Exchange (DEX) router.

The core vulnerability was that the Rebalancer contract did not sufficiently validate the target contract or the payload within that swapData.

Exploit Mechanism: Delegated Authority Hijack

The attacker leveraged the fact that the Rebalancer was a "trusted" contract with permissions to move assets within user vaults.

  1. Arbitrary Parameter Injection: The attacker called the rebalancing function but provided a swapData payload that targeted a malicious router contract controlled by the attacker.
  2. Authority Inheritance: When the Rebalancer contract executed the call() using the attacker's data, the call was initiated from the Rebalancer address. Since the Rebalancer held the necessary approvals to withdraw assets from user vaults (to facilitate swaps), the malicious contract inherited this execution context.
  3. The Malicious Drain: Inside the injected call, the attacker's contract invoked a transfer() or withdrawal() on the victim's vault. From the perspective of the vault, the instruction came from the authorized Rebalancer, and the assets were released.
  4. Liquidation and Exit: The attacker drained assets including USDC and WETH, converted them into approximately 840 ETH, and bridged them from Base to the Ethereum mainnet.

Why This Matters (The "Callback" Pattern Hazard)

This incident highlights the systemic risk in Delegated Execution Patterns.

  • The "Capability" Trap: If a contract holds high-privilege capabilities (like vault withdrawal permissions), it must be extremely rigid about the destinations of its external calls.
  • Post-Transaction Invariants: The exploit succeeded largely because the protocol did not enforce a strict "Account Health" invariant immediately after the external call returned, which would have caught the sudden drop in Net Asset Value (NAV).

Mitigation Strategies

  • Router Whitelisting: Implement an immutable, governance-controlled whitelist of allowed DEX router addresses. The Rebalancer should only execute calls against these specific targets.
  • Payload Inspection: Use internal validation logic to decode swapData and ensure it strictly target authorized functions (e.g., swapExactTokensForTokens) and not arbitrary transfer functions.
  • Balance Snapshots (Atomic Checks): Compare the vault's Net Asset Value (NAV) immediately before and after the swapData execution. If the NAV drops by more than the expected slippage percent, the entire transaction should revert.
  • Limited Permission Transfers: Rather than holding long-term approvals, the Rebalancer should ideally receive specific, temporary "Permit2" style allowances only for the exact amount and duration of the transaction.

Conclusion

The $3.6M Arcadia Finance heist serves as a warning that Permission is Transitive. If a protocol delegates its power to untrusted user data, it effectively hands that power to the first attacker who can structuralize a malicious payload. In the highly composable world of DeFi, input validation at component boundaries is as critical as the core math of the protocol.