Arkadiko Swap Post Mortem

We regret to inform you that at block #35441, roughly 7 hours ago a hacker exploited a bug in the Arkadiko Swap smart contract and managed to drain 400K STX and the equivalent in USDA, which was 12% of the total value in the STX-USDA liquidity pool.

This only affected STX-USDA on Arkadiko Swap, all other parts of the protocol such as Vaults, Staking Module and stDIKO are unaffected by this attack.

After confirming the vulnerability in the Swap contract, the Arkadiko team ran the same exploit to recover the remaining assets underlying the liquidity pool. All remaining funds are safe!

Over 88% of all liquidity pool assets in STX/USDA on the Swap were recovered. STX/DIKO and DIKO/USDA are unaffected and have not incurred any losses. We will design a mechanism to add the liquidity again so that LPs may re-access their funds through their existing LP tokens.

This is the address that holds all the funds that the team secured from the dysfunctional Swap contract: SPABAGDXT8KS0CA48BFXBTAJCYX4YF11TJ8KS8XD

https://explorer.stacks.co/address/SPABAGDXT8KS0CA48BFXBTAJCYX4YF11TJ8KS8XD?chain=mainnet

This is the attacker transaction that initiated the hack: https://explorer.stacks.co/txid/0x4d78fe328be831db1b68e50c4eab7fc57c328af5f441d40238436893d1b8ee28?chain=mainnet

We are currently writing a more detailed post-mortem with technical details on the hack. The Swap will be disabled until we patch it (new contract will run through governance update). Vaults + staking continues to run as normal.

We are still deciding on how to cover the lost funds and how to relaunch the Swap and continue the full operation of the protocol.

Users will not be able to access their liquidity while the protocol is not fully enabled with Arkadiko Swap offline. This can mean that Vault depositors will not be able to find USDA to repay the loan to unlock their collateral.

The team regrets that this event has come to pass. We hope the community will continue to support us and face these tough times together with us.

Arkadiko Protocol is a stablecoin (USDA) built on Stacks to bring DeFi to Bitcoin.