• The Milady project suffered loss of $1 million in fees as a result of the exploit.
• The exploit was reportedly carried out by a developer within the Milady ecosystem.
• Social media accounts were also compromised.

Milady, a non-fungible token (NFT) project built on the Ethereum blockchain, has fallen victim to a major exploit that has significantly impacted the project’s finances and social media presence.

The exploit was disclosed by Charlotte Fang, one of the co-founders of the Milady NFT collection, on September 11 via X (formerly Twitter). She revealed that a developer within the Milady ecosystem had successfully diverted approximately $1 million in generated fees away from Remilia Corporation.

I am heartbroken that there were people within this brilliant, loving community with so much wealth and enrichment for everyone involved that would scheme from within for short term profit at the expense of everything we have built together.

I am so sorry that you have to deal…

— sheep rotator (@sheeparepeople) September 11, 2023

Milady is a collection of 10,000 anime profile picture NFTs designed and launched in 2021 by Fang. In May 2023, Tesla CEO Elon Musk publicly endorsed Milady NFTs, resulting in a significant increase in their floor price. The floor price of a Milady NFT currently stands at 2.86 ETH, reflecting a 15% decrease over the past 24 hours, according to OpenSea data.

Remilia DAO Compromised

Remilia Corporation, a decentralized autonomous organization (DAO) backing the Milady Maker NFT project, had its revenue compromised due to an exploit involving Bonkler, an experimental finance art project created in April 2023, as confirmed by Fang.

Fang has, however, reassured the community that Bonkler reserves, main contract, and NFTs were secure, and that only Remilia’s revenue from Bonkler had been compromised. She emphasized that Remilia’s reserves remained “unaffected,” and user assets were “perfectly safe.”

Attacker Targets Social Media Accounts

In addition to seizing fee reserves, the attacker also took control of critical codebases and attempted to manipulate Remilia’s social media accounts.

Fang reported that the attacker had successfully taken over three X accounts, including Miladymaker and Remilionaire, while Remiliacorp was locked out. She urged caution, advising users to consider these three accounts as compromised. Fang provided new official accounts for the community to follow, including RemiliaCorp333, MiladyMaker333, and RemilioBaby.

Individuals responsible for attack identified

Fang has revealed that that Remilia had identified the individuals responsible for the exploit and expressed their determination to pursue legal action.

She stated, “We expect all our property to be returned” and added, “For such viciousness, I can give no quarter—the individuals involved have been terminated from Remilia Corporation, and will now be dealt with through the heavy hand of the law.”

• Rodeo Finance is an Arbitrum-based decentralized finance (DeFi) protocol.
• The hacker manipulated price oracles and executed trades using the manipulated price.
• The price of Rodeo Finance’s native token has plunged 54% after the hack.

On July 11, the Arbitrum-powered decentralised finance (DeFi) protocol Rodeo Finance was hacked resulting in the loss of 810 Ether (ETH) worth $1.53 million. The DEX was exploited using a code vulnerability in its Oracle.

Peckshield, a blockchain analytics company, revealed data showing that the exploiter eventually transferred the stolen funds from Arbitrum to Ethereum and exchanged 285 ETH for $unshETH. The ETH was subsequently placed on ETH2 staking by the exploiter. Last but not least, the exploiter used Tornado Cash, a well-known mixer service, to route the stolen ETH.

Time-Weighted Average Price (TWAP) Orcale manipulation

The hacker manipulated the Rodeo’s Time-Weighted Average Price (TWAP) Orcale and tampered with the pricing of the ETH.

The TWAP Oracle is used by DeFi protocols to calculate the average price of assets for a specific time frame to mitigate price fluctuation due to the volatility in the crypto market. However, it is vulnerable to manipulations through artificial skewing of the calculated average prices of assets.

The exploiter first borrowed a large sum of ETH and then artificially manipulated the price to buy the same asset at a deflated price. Later the hacker returned the loan and made a profit based on the low price after the manipulations.

Rodeo’s TVL drops significantly

Besides causing the Rodeo Finance (RDO) token to tumble 54%, the hack has also caused the total value locked (TVL) in Rodeo to drastically fall.

Before the hack, the DeFi protocol had $20 million in TVL, but it has since dropped below $500 after the hack.

This is the second time that Rodeo Finance is being hacked in July 2023. It was hacked again on July 5, 2023, and $89,000 worth of crypto assets were lost due to a vulnerability in its ‘mintProtocolReserves’ function.