Lending protocol Sturdy Finance drained of $800,000 in security attack
Sturdy Finance, a decentralized lending protocol, fell victim to a security attack today, which led to a loss of 442 ether or about $800,000. The unknown attacker took advantage of a reentrancy vulnerability that later facilitated manipulation of a faulty price oracle, thereby enabling them to siphon off funds.
In decentralized finance (DeFi) applications, price oracles are pivotal as they provide real-world price data. However, they also represent a potential target for hackers who can exploit them for security breaches.
The attack on Sturdy Finance was initiated by a reentrancy attack, a method typically used to illicitly withdraw funds from DeFi protocols. This type of attack takes advantage of the ability to call a function repeatedly within a single transaction before the original function call is completed. This, in turn, allows the attacker to withdraw more funds than they would legitimately be entitled to.
After the attacker established the ability to manipulate the function calls, they then proceeded to exploit the price oracle. Sturdy Finance’s price oracle, derived from a separate “read-only” smart contract, was manipulated. This oracle was designed to determine the accurate market value of assets in a liquidity pool managed by Sturdy’s team on the Balancer decentralized exchange, thus facilitating the trading of staked ether (stETH). However, the exploitation of the oracle enabled the attacker to drain funds from Sturdy.
BlockSec, a security firm, stated, «The root cause is due to the typical Balancer’s read-only reentrancy, while the price of B-stETH-STABLE was manipulated.»
Sturdy pauses markets
Sturdy Finance reacted to the attack by suspending all of its markets to prevent further potential losses, assuring its users that no other funds were in danger as a result of the breach.
“All markets have been paused; no additional funds are at risk, and no user actions are required at this time,” said the team. “We will be sharing more information as soon as we have it.”
After the attack, on-chain data shows that the attacker used the Tornado Cash mixer to obscure the activity.
In 2022, Sturdy Finance raised $3 million in a series of rounds to construct an interest-free borrowing and lending platform. The funding was lead by Pantera and also saw participation from Y Combinator, SoftBank’s Opportunity Fund, and KuCoin Ventures.