Lending protocol Sturdy Finance drained of $800,000 in security attack

Crypto Ecosystems • June 12, 2023, 12:48AM EDT
UPDATED: June 12, 2023, 2:32AM EDT
The Block

Quick Take

  • Sturdy Finance suffered a loss of $800,000 in an attack caused by a manipulated price oracle.
  • The team reported it suspended all its markets to avert further potential losses.

Sturdy Finance, a decentralized lending protocol, fell victim to a security attack today, which led to a loss of 442 ether or about $800,000.  The unknown attacker took advantage of a reentrancy vulnerability that later facilitated the manipulation of a faulty price oracle, thereby enabling them to siphon off funds.

In decentralized finance applications, price oracles are pivotal as they provide real-world price data. However, they also represent a potential target for hackers who can exploit them.

The attack on Sturdy Finance was initiated by a reentrancy attack — a method typically used to illicitly withdraw funds from DeFi protocols. This attack takes advantage of the ability to call a function repeatedly within a single transaction before the original function call is completed. This, in turn, allows the attacker to withdraw more funds than they would legitimately be entitled to.

After the attacker established the ability to manipulate the function calls, they then exploited the price oracle. Sturdy Finance’s price oracle, derived from a separate “read-only” smart contract, was manipulated.

This oracle was designed to determine the accurate market value of assets in a liquidity pool managed by Sturdy Finance's team on the Balancer decentralized exchange, thus facilitating the trading of staked ether. However, the exploitation of the oracle enabled the attacker to drain funds from Sturdy Finance, according to security firm BlockSec. 

BlockSec stated that "the root cause is due to the typical Balancer's read-only reentrancy, while the price of B-stETH-STABLE was manipulated."

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

Sturdy pauses markets

Sturdy Finance reacted to the attack by suspending all of its markets to prevent further potential losses, assuring its users that no other funds were in danger as a result of the breach.

“All markets have been paused; no additional funds are at risk, and no user actions are required at this time,” said the team. “We will be sharing more information as soon as we have it.”

After the attack, on-chain data shows that the attacker used the Tornado Cash mixer to obscure the activity.

In 2022, Sturdy Finance raised $3 million in a series of rounds to build an interest-free borrowing and lending platform. The funding was led by Pantera and also saw participation from Y Combinator, SoftBank’s Opportunity Fund, and KuCoin Ventures.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Vishal Chawla is The Block’s crypto ecosystems editor and has spent over six years covering tech protocols, cybersecurity, artificial intelligence and cloud computing. Vishal likes to delve deep into blockchain intricacies to ensure readers are well-informed about the continuously evolving crypto landscape. He is also a staunch advocate for rigorous security practices in the space. Before joining The Block, Vishal held positions at IDG ComputerWorld, CIO, and Crypto Briefing. He can be reached on Twitter at @vishal4c and via email at [email protected]

Editor

To contact the editor of this story:
Adam James at
[email protected]

More by Vishal Chawla