Arcadia Finance, a decentralized finance (DeFi) protocol on the Base blockchain, has been hit by a major security breach resulting in the loss of approximately $3.5 million. The exploit, confirmed by blockchain security firm Cyvers, targeted Arcadia’s Rebalancer contract, where an attacker manipulated arbitrary swapData inputs to drain user funds.

The incident occurred early Tuesday morning at 04:05 UTC. In under a minute, the attacker deployed a malicious contract and executed a rogue swap that siphoned assets from at least 12 user vaults. Stolen funds included $2.3 million in USDC and $227,000 in USDS, totaling over $2.5 million. The hacker received 199 WETH and over 965 million AERO tokens through this attack and subsequent swaps.

After laundering the funds into Wrapped Ethereum (WETH), the attacker bridged them from the Base network to Ethereum mainnet. Cyvers identified that the stolen crypto now sits in newly created intermediary wallets, likely to mask the trail through fragmentation, mixing tools, or decentralized exchanges.

The breach didn’t stop there. Shortly after the initial exploit, Arcadia suffered a second attack, pushing the total losses to $3.5 million. Arcadia’s team confirmed the unauthorized transactions and advised users to revoke any permissions granted to rebalancer contracts immediately.

Cyvers recommended that addresses tied to the exploit be blacklisted across Base and Ethereum, and that exchanges and bridges be alerted to prevent further laundering.

This incident adds to a growing list of DeFi exploits in 2025. According to CertiK, over $2.47 billion has been lost to crypto hacks and scams in just the first half of the year, marking a slight rise from 2024’s numbers, with over $800 million lost in Q2 alone.