Sturdy Finance Exploited for $800,000

  • The decentralized lending protocol paused all its markets after an attacker used a manipulated price oracle to steal 442 ETH from the platform.
  • Blockchain security firm BlockSec noted that the attacker used a reentrancy vulnerability to manipulate a price oracle that determined the prices of assets in a liquidity pool on Balancer.
exploit

Shutterstock

Decentralized lending protocol Sturdy Finance fell victim to a security exploit earlier today, which saw an unknown attacker drain around $800,000 from the platform, blockchain security firm PeckShield said via Twitter on 12 June.

Shortly after PeckShield’s alert, the team behind Sturdy Finance said it was aware of the exploit and that it had paused all of the markets on the platform, assuring users that no additional funds were at risk. PeckShield noted that the issue was most likely price manipulation, and that the 442.6 Ether (ETH) that was stolen had already been transferred to Tornado Cash. Sturdy Finance said via Twitter:

“We are aware of the reported exploit of the Sturdy protocol. All markets have been paused; no additional funds are at risk and no user actions are required at this time. We will be sharing more information as soon as we have it.”

Blockchain security firm BlockSec later clarified that the attacker most likely used a reentrancy attack — which exploits the ability to repeatedly call the same function in a single transaction, before the original function is completed — to manipulate a faulty price oracle. Through this method, the attacker was able to withdraw more funds from the protocol than they legitimately were entitled to.

Sturdy Finance’s manipulated price oracle — derived from a separate read-only smart contract — was designed to keep the accurate market value of digital assets in a liquidity pool on the Balancer decentralized exchange.

Discussion
Related Coverage
Unibot to Compensate Users Affected by Exploit
  • Popular Telegram bot Unibot, which is used to snipe trades on Uniswap, became a victim of a token approval exploit earlier today, when it was switching to a new router.
  • After confirming the exploit, Unibot assured users that their keys and wallets were safe, and that the project will compensate all affected users.
October 31, 2023, 3:01 PM
unlock

Shutterstock

Balancer Exploited After Giving Warning
  • DeFi protocol Balancer confirmed it was exploited almost a week after disclosing a critical vulnerability affecting several of its boosted pools.
  • The platform did its best to mitigate some of the risks but was unable to pause the affected pools, and an estimated $980,000 in DAI were stolen in an attack.
Zunami Protocol’s Stablecoin Pools Exploited, Suffers $2.1M Loss
  • DeFi yield aggregator Zunami Protocol confirmed that a hacker had attacked its “zStables” pools on Curve Finance using a price manipulation exploit.
  • Security firm PeckShield has estimated that over $2.1 million was lost during the attack, while SlowMist said it had informed Zunami of the vulnerability two months ago.