Shutterstock
Decentralized lending protocol Sturdy Finance fell victim to a security exploit earlier today, which saw an unknown attacker drain around $800,000 from the platform, blockchain security firm PeckShield said via Twitter on 12 June.
Shortly after PeckShield’s alert, the team behind Sturdy Finance said it was aware of the exploit and that it had paused all of the markets on the platform, assuring users that no additional funds were at risk. PeckShield noted that the issue was most likely price manipulation, and that the 442.6 Ether (ETH) that was stolen had already been transferred to Tornado Cash. Sturdy Finance said via Twitter:
“We are aware of the reported exploit of the Sturdy protocol. All markets have been paused; no additional funds are at risk and no user actions are required at this time. We will be sharing more information as soon as we have it.”
Blockchain security firm BlockSec later clarified that the attacker most likely used a reentrancy attack — which exploits the ability to repeatedly call the same function in a single transaction, before the original function is completed — to manipulate a faulty price oracle. Through this method, the attacker was able to withdraw more funds from the protocol than they legitimately were entitled to.
Sturdy Finance’s manipulated price oracle — derived from a separate read-only smart contract — was designed to keep the accurate market value of digital assets in a liquidity pool on the Balancer decentralized exchange.