Vicuna Finance Post Mortem: Anatomy of a $700K Oracle Attack
Summary
Vicuna Finance is a decentralized lending protocol deployed on the Sonic chain. On March 28, 2025, the protocol was targeted by an oracle manipulation attack that exploited a mispricing mechanism in a newly launched market using Beets LP tokens as collateral. The attacker manipulated the token ratio within the LP to artificially inflate its value, enabling excessive borrowing against the overpriced LP tokens.
As a result, two side markets — the $S market and the stablecoin market — were drained, leading to an estimated total loss of approximately $700K.
Timeline
Below we list the timeline of this exploit:
The attacker's address 0xBF43...65FE receives 39.03 $S from the previous Vicuna Finance exploiter (Previous Vicuna Finance Exploit).
The Beets $S-stS LP market is deployed at 0x83Dd...8e44.
The Beets USDC-scUSD LP market is deployed at 0x5B02...3048. After the introduction of these markets, the protocol becomes vulnerable to attack.
The attacker executes the exploit via transaction 0x79e1...e265.
The attacker completes token swaps, converting the illicit profits into $S, the native gas token.
The attacker bridges 81,944.3 $S to the Base chain using Debridge.
367.9 ETH is bridged from the Base chain to Ethereum via Debridge to the address 0xad22...eff3, where the attacker appears to store the profits.
Admin actions are taken to pause the affected markets through transactions 0x1316...baa0 and 0x853f...0c99.
Root Cause Analysis
The LP token was priced based on the sum of the values of its underlying assets:
price_lp = price_token1 * amount_token1 + price_token0 * amount_token0

Figure 1: Oracle code used to price LP tokens in Vicuna Finance.
This method fails to consider the invariant-based valuation (also known as fair pricing) that protects against manipulation. The attacker exploited this by drastically altering the token balances in the pool, temporarily inflating the oracle-reported LP value. This enabled them to over-borrow against the collateral and later restore the pool's balance, leaving the protocol with bad debt.
The full exploit sequence in each market was as follows:
- Manipulate pool ratio: Perform a large swap from token0 to token1, artificially inflating the LP token's oracle price.
- Deposit collateral: Deposit the overvalued LP tokens as collateral.
- Borrow funds: Borrow assets against the inflated LP collateral.
- Reverse swap: Swap token1 back to token0, deflating the LP price and creating bad debt.
Next Steps
Vicuna Finance is actively working with leading Web3 security firms, including Decentralized Intelligence (@d23e_AG), to trace the attacker's funds and explore potential recovery options.
Improving Security
Looking forward, the Vicuna team is committed to prioritizing security by conducting additional audits, integrating advanced on-chain monitoring systems, and adopting more robust oracle designs to prevent similar vulnerabilities.