Sturdy Finance, a decentralized lending protocol, has suffered a security breach resulting in the loss of 442 ether, equivalent to around $800,000. An unidentified individual executed the attack and took advantage of a reentrancy vulnerability, enabling them to manipulate a faulty price oracle and drain funds from the platform.
Price oracles are crucial in decentralized finance (DeFi) systems because they supply up-to-date market prices. However, they can be compromised by hackers looking to take advantage of security holes.
Reentrancy attacks, which are frequently used to illegally extract funds through DeFi protocols, were used in the attack against Sturdy Finance. This type of attack involves submitting numerous requests to the same method in a single transaction before the first request has completed. This flaw allows an attacker to withdraw more money than they are legally allowed to. They manipulated the price oracle once they gained control over the function calls.
The market value of assets in the Sturdy Finance platform’s liquidity pool on the Balancer decentralized exchange was manipulated by manipulating the price oracle, which relied on a separate “read-only” smart contract. Security firm BlockSec claimed that the attacker was able to steal money from Sturdy Finance thanks to this manipulation.
BlockSec identified the root cause of the attack as Balancer’s read-only reentrancy vulnerability, combined with the manipulation of the price of B-stETH-STABLE.
Sturdy Finance promptly shut down all markets in reaction to the hack to prevent any more losses. The platform guaranteed its users that their money was safe and that they didn’t need to do anything at the time. The team promised to update the situation as new details emerged.
Post-attack analysis revealed that the attacker employed the Tornado Cash mixer to obscure their activity and cover their tracks.
To create an interest-free borrowing and lending platform, Sturdy Finance raised $3 million over the course of three rounds in 2022. Pantera acted as the primary investor in this round of fundraising, which also included Y Combinator, SoftBank’s Opportunity Fund, and KuCoin Ventures.
The Sturdy Finance team is now focused on addressing the security breach, implementing necessary measures to prevent future attacks, and ensuring the safety of their users’ funds within the decentralized lending ecosystem.