Skip to main content

ArcadiaFi: The Rebalancer Permission Exploit (July 2025)

On July 15, 2025, ArcadiaFi (on the Base L2) was hit with a $2.5 million exploit. The attacker siphoned assets including USDC and WETH, bridging approximately 840 ETH back to the Ethereum mainnet. The core of the vulnerability was a mismatch in how Rebalancer permissions were managed and revoked for user accounts.

Technical Overview

ArcadiaFi is a liquidity management protocol that allows users to optimize their holdings through "Rebalancers"—specialized contracts with limited permissions to swap or move assets within the user's account for the purpose of maintaining a target strategy (e.g., delta-neutralizing a LP position).

Exploit Mechanism: Permission Persistence & "Stale" Rebalancers

The exploit focused on the authorization loop between user accounts and active Rebalancer contracts.

  1. Approval Persistence: Users provide approvals (allowances) to specific Rebalancer contracts to perform actions on their behalf.
  2. Stale Logic Policy: ArcadiaFi had recently updated its Rebalancer logic, but older versions of these contracts remained authorized by users who had not manually revoked them.
  3. The "Malicious Callback": The attacker identified a flaw in the interaction between a specific older Rebalancer and a user's margin-account. By triggering a rebalancing action with malicious input data, the attacker forced the Rebalancer to perform an unauthorized transfer of the user's collateral.
  4. Instant Liquidation Bypass: Because the transfer occurred within the context of an "authorized" rebalancing call, the protocol's internal health-checks or liquidation triggers were either bypassed or satisfied with manipulated values during the execution window.

Why This Matters (The "Stale" Approval Vector)

This incident highlights the persistence of risk in DeFi. Even after a protocol upgrades to "safe" contracts, the lingering approvals given to older, potentially vulnerable contracts (the "Old Rebalancers") provide a backdoor for attackers. Security in 2025 has moved beyond just the "active" code to the management of "legacy" permissions.

Mitigation Strategies

  • Approval Auto-Revocation: Protocols should implement logic that automatically revokes approvals to old implementation addresses when a user migrates to a newer strategy or rebalancer.
  • Permit2 Integration: Moving toward the Uniswap Permit2 standard allows for time-bound approvals and batch revocations, significantly reducing the "approval for life" risk.
  • Limited Callback Scope: Ensure that contracts receiving rebalancing permissions can only interact with a white-listed set of routers and pools, preventing arbitrary transfer calls.
  • Permission Transparency: User front-ends must clearly flag "Legacy Permissions" and provide one-click buttons to "Clean Up" or "Revoke All Stale" approvals.

Conclusion

The $2.5M ArcadiaFi exploit serves as a critical lesson in permission lifecycle management. A secure contract is not just one without bugs, but one that ensures its users aren't left exposed to the vulnerabilities of its predecessors.