Arcadia Incident Analysis

On 15 July 2025, an attacker exploited insufficient input validation in Arcadia Finance’s Rebalancer/RebalanceSpot call chain by supplying arbitrary swapData that allowed reentrancy and execution of calldata targeting victim accounts; the attacker drained assets (~$3.6M worth of ETH) after repaying victim debt and withdrawing underlying tokens. The report includes step‑by‑step attack flow, key transaction links, attacker and contract addresses, fund flow (including bridging to Ethereum), and notes that Arcadia offered a 10% bounty for return of remaining funds.