Arbix Finance Postmortem

Arbix Finance - REKT Analysis

What Happened

Arbix Finance, a BSC-based arbitrage project, executed a rug pull on January 4, 2022. The project operators drained user funds from single-asset vaults, then deleted their website, Twitter, and Telegram accounts. The incident occurred around 3 AM UTC.

Attack Vector & Exploit Steps

1. Initial Setup: Arbix Finance operated vaults where users deposited assets expecting "optimal yield with low risk"

2. Token Manipulation: On December 10, 2021, the team minted 4.5M ARBX tokens to 0x161262d172699cf0a5e09b6cdfa5fee7f32c183d

3. Vault Drainage: Beginning January 4, approximately $10M was drained directly from user vaults into 0x4714a26e4e2e1334c80575332ec9eb043b61a2c4

4. Token Dump: 4.5M ARBX tokens were dumped via PancakeSwap, collapsing price from $1.42 to ~$0.00, generating ~$50k in proceeds

5. Fund Conversion: Assets bridged to Ethereum, then converted to ~2.5k ETH, transferred to 0xdc85c1eb22b0ece7be559a83fd788fe57f5a7a9f

Financial Impact

Total Loss: ~$10 million

Breakdown:

• ~$1M BTCB (tx: 0xfbba507c8e90a264d5e77e5db854f5697572da1681f3647d4fa4381f7ef825b9)

• $920k ETH (tx: 0x55d17937c5ff918a9314dd96d75ce770c9d8a06f119fbbe28359387a1c69ec39)

• $2.25M BSC-USD (tx: 0xb5682534481ffd22db6ba777051049e2c9805d6bd04733772915e84f8a32a5a5)

• $1.7M BUSD (tx: 0x79f40c432499301f8aa2d9fdddc0d451655f1ec6be6b97e425ef29130bb6f954)

• $1.4M CAKE (tx: 0x5fac3ef218e76a7bbfa38284df91a0baad4bf5ef068ecc2045feac4238356aa0)

• $1M BSC-USDC (tx: 0x91981907416ab908ec4134f12204a837b5207fb6fe31c7a7e93a5df503a25b6b)

• Lesser amounts of ADA, DOT, DOGE, LINK, XRP, WBNB

Technical Root Cause

The article provides no specific smart contract vulnerabilities. The scheme relied on owner-controlled vault access and token minting privileges rather than exploitable code flaws.

Remediation & Trust Issues

Certik had provided an audit in November 2021, marking all critical issues as resolved. However, the audit failed to prevent the rug pull, highlighting limitations in security assessments for projects with malicious intent baked into their design.