Arcadia Finance, a DeFi platform operating on Coinbase's Base blockchain, suffered a significant security breach on July 15, 2025, resulting in a $2.5 million exploit. Security firms Cyvers and PeckShield confirmed attackers exploited vulnerabilities in the platform's Rebalancer contract to steal user funds.
The attackers converted stolen assets—including USDC, USDS, and WETH—into approximately 840 Wrapped Ethereum (WETH) before bridging them to Ethereum's mainnet. Specific transactions included the acquisition of 199 WETH and 965.8 million AERO tokens, with 12 user addresses directly impacted.
Arcadia Finance's team immediately paused liquidity operations and issued an urgent warning: "Please remove Rebalancer permissions immediately". The breach highlights recurring DeFi security flaws, particularly concerning smart contract vulnerabilities in rebalancing mechanisms.
PeckShield's analysis traced the attack to a malicious contract deployed on Base, underscoring risks in cross-chain asset transfers. The incident may intensify regulatory scrutiny of DeFi protocols and erode user trust in emerging blockchain ecosystems.