DeFi Protocol Sturdy Finance Hacked, $768,800 Worth of ETH Stolen
Summary: Sturdy Finance, a DeFi lending platform, suffered a vulnerability that allowed 442 ETH (about $768,800) to be stolen. The attacker gained access to Sturdy's funds by manipulating the pricing oracle of a collateral pool and borrowing money from Sturdy using B-stETH-STABLE as collateral.
A vulnerability was found in the DeFi lending protocol Sturdy Finance, and 442 ETH (about $768,800) were stolen. Sturdy Finance admitted the attack and suspended operations on the DeFi platform while they examined the problem, while blockchain security organizations such as PeckShield and BlockSec reported the vulnerability.
The protocol allows users to use LP tokens from exchanges like Curve and Balancer as collateral for loans. The decentralized platform provides access to two marketplaces for lending: Ethereum and stablecoins tied to the US dollar.
Discord channel post by pgpsam, a key member of the Sturdy Finance team: “from our investigation so far the stablecoin market is unaffected.” The Sturdy pools are now unavailable for stablecoin and ETH withdrawals.
Pricing Oracle Manipulated
Moreover, According to preliminary investigations, the attacker gained access to Sturdy’s funds by manipulating the pricing oracle of a collateral pool. This morning, the BlockSec team revealed the assault’s after-action report on Twitter, writing that it was a “typical Balancer’s read-only reentrancy” attack.
The attacker here contacted the B-stETH-STABLE pool repeatedly before the earlier transactions had completed, leading the pool’s price oracle to become corrupted and incorrectly display a tripling of the price.
Hacker Gained from Gap Between Inflated Value
Moreover, the assailant had borrowed money from Sturdy using B-stETH-STABLE as collateral. The attacker removed collateral from Sturdy’s pool as the price rose. The hacker now stands to gain from the gap between the inflated value of their collateral and its true worth.
Also, the hacker used a 50,000 wstETH and 60,000 WETH flash loan from Aave (equivalent to around $191 million) to finance the assault.
According to PeckShield, the hackers transferred the stolen cash using Tornado Cash. It is an Ethereum mixer that protects user anonymity by masking transaction origin and destination addresses. Tornado Cash was used by the North Korean hacker outfit Lazarus and many other hackers. Thus the United States authorities banned it last year.