Lending protocol Sturdy Finance drained of $800,000 in security attack

Quick Take

  • Sturdy Finance suffered a loss of $800,000 in an attack caused by a manipulated price oracle.
  • The team reported it suspended all its markets to avert further potential losses.

Sturdy Finance, a decentralized lending protocol, fell victim to a security attack today, which led to a loss of 442 ether or about $800,000.  The unknown attacker took advantage of a reentrancy vulnerability that later facilitated the manipulation of a faulty price oracle, thereby enabling them to siphon off funds.

In decentralized finance applications, price oracles are pivotal as they provide real-world price data. However, they also represent a potential target for hackers who can exploit them.

The attack on Sturdy Finance was initiated by a reentrancy attack — a method typically used to illicitly withdraw funds from DeFi protocols. This attack takes advantage of the ability to call a function repeatedly within a single transaction before the original function call is completed. This, in turn, allows the attacker to withdraw more funds than they would legitimately be entitled to.

After the attacker established the ability to manipulate the function calls, they then exploited the price oracle. Sturdy Finance’s price oracle, derived from a separate “read-only” smart contract, was manipulated.

This oracle was designed to determine the accurate market value of assets in a liquidity pool managed by Sturdy Finance's team on the Balancer decentralized exchange, thus facilitating the trading of staked ether. However, the exploitation of the oracle enabled the attacker to drain funds from Sturdy Finance, according to security firm BlockSec. 

BlockSec stated that "the root cause is due to the typical Balancer's read-only reentrancy, while the price of B-stETH-STABLE was manipulated."

Sturdy pauses markets

Sturdy Finance reacted to the attack by suspending all of its markets to prevent further potential losses, assuring its users that no other funds were in danger as a result of the breach.

“All markets have been paused; no additional funds are at risk, and no user actions are required at this time,” said the team. “We will be sharing more information as soon as we have it.”

After the attack, on-chain data shows that the attacker used the Tornado Cash mixer to obscure the activity.

In 2022, Sturdy Finance raised $3 million in a series of rounds to build an interest-free borrowing and lending platform. The funding was led by Pantera and also saw participation from Y Combinator, SoftBank’s Opportunity Fund, and KuCoin Ventures.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.