Exploit withdraws $3,5 million from Arcadia Finance on the Base network

• Arcadia Finance suffers attack and loses US$3,5 million
• Certik identifies flaw in rebalancing contract
• Users must revoke permissions in DeFi protocols

The decentralized finance platform Arcadia Finance was the target of an exploit that resulted in estimated losses of approximately $3,5 million, according to information released by security firm Certik. The incident began Tuesday morning when suspicious transactions were detected on the Base network, a scaling solution supported by Coinbase.

According to Certik, the attacker allegedly used arbitrary "swapdata" functions within Arcadia's rebalancing contract to initially siphon off approximately $1,6 million. As the malicious activity continued, the losses increased to $3,5 million within hours.

3/ The attack is still ongoing and an additional ~$1M (319 WETH) has been stolen, bringing the total loss to ~$3.5M. pic.twitter.com/XjTMDa6lhl

— CertiKAlert (@CertiKAlert) July 15, 2025

In an official statement posted on the X network (formerly Twitter), the Arcadia team confirmed the incident and recommended immediate security measures to users: "The team is aware of unauthorized transactions through a Rebalancer. Please remove all permissions for asset managers." The platform's website also includes an additional warning for users to disconnect any contracts related to rebalancers or composites.

The team is aware of unauthorized transactions via Rebalancer.
Remove all permissions for asset managers.
More information will follow.

— Arcadia Finance (@ArcadiaFi) July 15, 2025

Arcadia is described as a margin protocol that enables permissionless lending, trading, and leverage, attracting users focused on decentralization and asset autonomy. The platform is backed by Coinbase Ventures, which has put it in the spotlight within the DeFi community.

Certik, responsible for identifying the attack, is a leader in blockchain security, with investments from companies such as Sequoia Capital, Goldman Sachs, and Tiger Global. The company recently reported that attacks on DeFi protocols totaled $302 million in May alone, indicating that threats to the sector remain constant.

The attack on Arcadia highlights the challenges DeFi platforms face in maintaining security given the complexity of smart contracts and the rapid exploitation of exploits in decentralized systems. The Arcadia team has not yet confirmed whether refunds will be issued to affected users.