The DeFi lending protocol Sturdy Finance recently experienced an exploit that resulted in a loss of 442 ETH (approximately $768,800) from its platform. Blockchain security firms such as PeckShield and BlockSec brought attention to the issue, and the Sturdy Finance team subsequently acknowledged the hack. As a precaution, they paused activity on their DeFi platform while investigating the matter.
Sturdy Finance allows users to borrow against liquidity provider (LP) tokens from exchanges like Curve and Balancer as collateral. The decentralized application offers two lending markets—Ethereum and dollar-pegged stablecoins. According to Sturdy Finance core team member pgpsam, the stablecoin market was not affected by the exploit.
While the platform remains paused, users with stablecoin and ETH cannot withdraw from Sturdy’s pools. The team’s current priority is understanding the exploit and how to mitigate it, as well as communicating with the hacker.
Initial reports suggest that the attacker manipulated the price oracle of a collateral pool and drained funds from Sturdy. The BlockSec team shared a postmortem report on Twitter, noting that it was a “typical Balancer’s read-only reentrancy” attack. In a re-entrancy attack, a smart contract function interacts with another contract, which then makes a callback to the first contract before completing its execution.
In this case, the attacker repeatedly called the B-stETH-STABLE pool, causing the pool’s price oracle to malfunction and display a three-fold increase in the price. With B-stETH-STABLE as collateral, the attacker was able to borrow from Sturdy and, as the price inflated, withdraw collateral from the pool. The hacker ultimately profited from the difference between the actual value and the inflated amount of the collateral.
To carry out the attack, the exploiter used a flash loan from Aave, acquiring 50,000 wstETH and 60,000 WETH (worth around $191 million). PeckShield reports that the attacker then moved their stolen funds through Tornado Cash, an Ethereum mixer that obscures the connection between sender and recipient addresses, providing a layer of transaction privacy. It’s worth noting that the US government sanctioned Tornado Cash last year due to its use by the North Korean hacking group Lazarus.
As the DeFi sector expands, security concerns persist. Incidents like this one underscore the need for continuous efforts to improve safety measures and protect users in the world of decentralized finance.
Source: Decrypt