While crypto enthusiasts were sleeping, hackers were working overtime on the Base blockchain. Arcadia Finance, a permissionless DeFi platform backed by Coinbase Ventures, just lost almost $3.5 million in a sophisticated heist. Tough break.
The attack targeted the Rebalancer contract through a vulnerability in swapData parameters. Simple, really—if you’re a criminal mastermind. Automated market makers handle billions in monthly trading volume, making them prime targets for exploits. Certik flagged unusual transactions, while Cyvers pinpointed the exploit’s beginning at 04:05:58 UTC when a malicious contract was deployed.
Hackers surgically exploited swapData parameters while security firms watched the theft unfold in real-time.
The hacker executed a rogue swap that drained multiple user vaults. Classic DeFi nightmare.
The stolen assets, primarily USDC and USDS stablecoins, were swiftly converted to WETH and bridged from Base to Ethereum mainnet. The thief spread the loot across fresh intermediary addresses. Because of course they did.
Arcadia’s response was textbook damage control. They warned users to revoke permissions for affected contracts immediately. Then came the negotiation: return 90% of the money and we’ll let you keep the rest. Don’t comply? Enjoy a public bounty on your identity. Good luck staying anonymous then, buddy.
The technical failure boils down to insufficient input validation. The contract couldn’t tell the difference between legitimate swaps and malicious ones. Amateur hour for a protocol with Coinbase backing. The security breach involved arbitrary call vulnerability that allowed excessive asset withdrawal.
This heist isn’t happening in isolation. The DeFi sector has hemorrhaged over $302 million in May 2025 alone. Security vulnerabilities persist despite audits and big-name backers. 2025 is shaping up to be crypto’s worst year for theft—ever.
Other platforms have gone the negotiation route too. GMX offered a $40 million bounty after their incident, while Coinbase dangled $20 million for information in a separate case. It’s becoming the standard playbook: get robbed, negotiate, pray for partial recovery.
Welcome to DeFi in 2025. Your funds aren’t as safe as you think.
