- Arcadia Finance offers its hacker a bounty.
- It's a common negotiation tactic for hacked DeFi protocols.
- 2025 is the worst year ever for crypto theft.
Arcadia Finance just issued the person who hacked it with an ultimatum — pay back 90% of the money stolen or get hunted.
The liquidity management platform issued the warning on Tuesday after the hacker used a bug in Arcadia’s code to steal $3.5 million over more than a dozen transactions spanning several hours.
“Return 90% of stolen funds… within 24 hours and keep 10% as a white-hat bounty, there will be no further pursuit,” The Arcadia team said in an onchain message sent to the hacker’s wallet at 11:36am UK time.
“Otherwise, we’ll launch a 10% public bounty for information leading to your identification, arrest, and conviction in court, while escalating legal efforts.”
Arcadia also acknowledged the hack in an X post, advising users to revoke permissions for its smart contracts.
Asking hackers to return the funds they stole, minus a 10% bounty, in return for a promise not to hunt them down or pursue legal action is a common negotiation tactic when DeFi protocols get exploited.
Last week, perpetual futures exchange GMX successfully negotiated the return of $40 million it lost to a hacker by offering a 10% bounty.
Negotiations aren’t everyone’s cup of tea, however.
Coinbase, the centralised crypto exchange that’s also an Arcadia investor, responded to an exploit and a subsequent $20 million ransom note in May by issuing a $20 million reward for anyone contributing to the arrest and conviction of the attackers.
The attack vector
Before the hack, Arcadia held over $21 million worth of user deposits, and was among the fastest growing protocols on Base, the layer 2 blockchain created and managed by Coinbase.
Multiple crypto security experts attributed the hack to a so-called arbitrary call vulnerability in Arcadia’s smart contract code. It let the hacker withdraw more assets from the protocol than they should’ve been able to.
Arbitrary call vulnerabilities are not uncommon, and crypto security experts often provide guidance on how protocols can avoid them.
In January Odos Protocol, another DeFi protocol on Base, lost $50,000 to a hacker that exploited an arbitrary call vulnerability.
In 2023, CoW Swap, a decentralised exchange, lost $180,000 to a similar bug.
Arcadia’s AAA token dropped 46% in the aftermath of the hack and trades at around $0.18.
2025 is the worst year ever for crypto thefts, with hackers stealing over $2 billion so far, per DefiLlama data.
Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips attim@dlnews.com.
