Skip to main content
Sign in
Arcadia V21 decision on this page

Audit log

Every state-changing event for Arcadia V2: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1publishby system:backfill
    2026-05-26 19:54:34Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 422,351,505
    sig
    AN8wh5Fjb6cv…od67AJfRexplorer ↗
    hash
    EEgPAbtVXUwh…C9JFbNMRsha256 → base58
    verifying row…full verify ↗
    canonical bytes (7450 B) ▸
    {"actor":"system:backfill","investigation_id":"88a00d0e-8123-4c71-9bf7-7827f2bc78d1","kind":"publish","page_slug":"arcadia-v2","published_at":"2026-05-26T19:54:34.334Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Arcadia V2","sections":[{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://cointelegraph.com/news/arcadia-finance-hacked-on-ethereum-and-optimism-for-455k","type":"other","url":""},{"credibility":3,"name":"https://arcadiafinance.medium.com/post-mortem-72e9d24a79b0","type":"other","url":""},{"credibility":3,"name":"https://cryptonews.com/news/defi-platform-arcadia-finance-falls-victim-455k-hack-ethereum-optimism/","type":"other","url":""},{"credibility":3,"name":"https://beincrypto.com/defi-arcadia-finance-exploited-455000-tvl/","type":"other","url":""},{"credibility":3,"name":"https://cryptobriefing.com/defi-protocol-hack-drains-455k/","type":"other","url":""},{"credibility":3,"name":"https://coinmarketcap.com/academy/article/arcadia-finance-lost-dollar455k-in-hack-exploiter-contacted","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://www.certik.com/resources/blog/arcadia-incident-analysis-arbitrary-swapData","type":"other","url":""},{"credibility":3,"name":"https://rekt.news/arcadiafi-rekt","type":"other","url":""},{"credibility":3,"name":"https://cryptonews.com/news/hackers-drain-2-5m-from-arcadia-finance-on-base-blockchain-heres-what-happened/","type":"other","url":""},{"credibility":3,"name":"https://www.theblock.co/post/362624/arcadia-hack","type":"other","url":""},{"credibility":3,"name":"https://revoke.cash/exploits/arcadia-finance","type":"other","url":""},{"credibility":3,"name":"https://www.dlnews.com/articles/defi/coinbased-backed-arcadia-finance-offers-hacker-bounty/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://rekt.news/arcadiafi-rekt","type":"other","url":""},{"credibility":3,"name":"https://docs.arcadia.finance/security-and-risk/audits","type":"other","url":""},{"credibility":3,"name":"https://olympix.security/blog/arcadias-3-6m-exploit-and-how-olympix-would-have-prevented-it","type":"other","url":""},{"credibility":3,"name":"https://www.guardrail.ai/blog/arcadia-finance-hack-july-2025","type":"other","url":""},{"credibility":3,"name":"https://www.quillaudits.com/blog/hack-analysis/arcadia-finance-hack-analysis","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://www.outlookbusiness.com/news/latest-crypto-news-hacker-drains-455k-from-arcadia-s-ethereum-optimism-vaults-zachxbt-s-research-cited-in-canadian-nft-rug-pull-class-action-lawsuit-news-301762","type":"other","url":""},{"credibility":3,"name":"https://cointelegraph.com/news/arcadia-finance-exploit-2-5m-crypto-theft","type":"other","url":""},{"credibility":3,"name":"https://www.coinspeaker.com/arcadia-finance-hacked-for-2-5m-can-it-recover/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://arcadiafinance.medium.com/introducing-arcadia-v2-79ee345af20b","type":"other","url":""},{"credibility":3,"name":"https://defillama.com/protocol/arcadia-v2","type":"other","url":""},{"credibility":3,"name":"https://www.crunchbase.com/organization/arcadia-finance","type":"other","url":""},{"credibility":3,"name":"https://docs.arcadia.finance/governance/tokenomics","type":"other","url":""},{"credibility":3,"name":"https://icodrops.com/arcadia-finance/","type":"other","url":""},{"credibility":3,"name":"https://hackenproof.com/companies/arcadia-finance","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://defillama.com/protocol/arcadia-v2","type":"other","url":""},{"credibility":3,"name":"https://www.coingecko.com/en/coins/arcadia","type":"other","url":""},{"credibility":3,"name":"https://cryptorank.io/price/arcadia-finance","type":"other","url":""},{"credibility":3,"name":"https://www.dlnews.com/articles/defi/coinbased-backed-arcadia-finance-offers-hacker-bounty/","type":"other","url":""}]}],"sources_used":[],"summary":"Arcadia V2 is a non-custodial leverage farming and liquidity management protocol operating primarily on Base, developed by Belgium-based Arcadia Finance (founded 2021, backed by Coinbase Ventures). The protocol has suffered two serious security exploits: a July 2023 reentrancy attack on its V1 codebase draining approximately $455K across Ethereum and Optimism, and a more severe July 2025 arbitrary calldata exploit on V2's Rebalancer contract that drained approximately $3.6M on Base despite multiple prior audits. ZachXBT has flagged the protocol as a high-risk entity given this pattern of repeated critical security failures.","timeline":[{"date":"2021-01-01","event":"Arcadia Finance founded in Mechelen, Belgium by Jasper Van Pee and Thomas Smets.","source":""},{"date":"2023-07-10","event":"V1 protocol exploited on Ethereum and Optimism via reentrancy attack on liquidateVault() function; approximately $459,030 stolen. PeckShield identifies the attack. Optimism attacker launders ~180 ETH via Tornado Cash.","source":""},{"date":"2023-07-10","event":"Arcadia Finance pauses all contracts, issues on-chain message to attacker demanding return of funds within 24 hours. No funds recovered. TVL drops 76%.","source":""},{"date":"2023-10-01","event":"Arcadia partners with Trust Security for first V2 security review.","source":""},{"date":"2024-01-01","event":"Arcadia V2 audit program begins: Renascence, Pashov Audit Group, and Sherlock contest all review complete V2 codebase in Q1 2024. Pashov internally flags but does not report a vulnerability in SwapLogic._swapViaRouter().","source":""},{"date":"2024-01-01","event":"Arcadia V2 targets Q1 2024 launch on Base (announced as goal, not confirmed release date).","source":""},{"date":"2024-04-01","event":"Sherlock audit contest covers Aerodrome Asset Modules for Arcadia V2 (Q2 2024).","source":""},{"date":"2025-03-12","event":"Arcadia Finance announces public token sale for $AAA on Fjord launchpad.","source":""},{"date":"2025-04-10","event":"AAA Token Generation Event (TGE) completed. AAA reaches all-time high of $1.71 on day of TGE.","source":""},{"date":"2025-06-01","event":"Arcadia Finance joins the Circle Alliance.","source":""},{"date":"2025-07-14","event":"Attacker funds wallet via Tornado Cash on Ethereum at 10:58 PM UTC; bridges funds to Base approximately 30 minutes later.","source":""},{"date":"2025-07-15","event":"Arcadia V2 Rebalancer contract exploited on Base at 4:03 AM UTC via arbitrary swapData calldata injection. Approximately $3.6M (USDC, USDS, Aerodrome, Slipstream LP NFTs) drained across multiple transactions. CertiK and Cyvers raise initial on-chain alarms.","source":""},{"date":"2025-07-15","event":"Arcadia Finance pauses all contracts, advises users to revoke approvals and disable automations. Offers attacker 10% bounty (~$360K) for 90% fund return within 24 hours. Attacker does not respond.","source":""},{"date":"2025-07-15","event":"AAA token drops approximately 46% in trading following the hack disclosure.","source":""},{"date":"2025-07-15","event":"Stolen funds (approximately 1,203 ETH) bridged from Base to Ethereum via Across Protocol and Relay.","source":""}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision b2e9e7bf-7f81-4984-b1b0-c8fa870c28e1
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.