DeFi lending protocol Sturdy Finance recently experienced a significant exploit that resulted in the loss of 442 ETH, equivalent to approximately $768,800. Blockchain security firms, including PeckShield and BlockSec, detected and reported the exploit, prompting the Sturdy Finance team to take immediate action by pausing activity on their DeFi platform while conducting a thorough investigation.
Sturdy Finance operates as a lending protocol that allows users to borrow against liquidity provider (LP) tokens from exchanges such as Curve and Balancer, using them as collateral. The platform provides two lending markets: Ethereum and dollar-pegged stablecoins.
Despite the exploit, the Sturdy Finance team assured users that the stablecoin market remained unaffected according to their investigation thus far. However, due to the ongoing investigation and pause in activity, users holding stablecoins and ETH on the platform are unable to withdraw from Sturdy’s pools.
Pgpsam, a core team member of Sturdy Finance, emphasized that their primary focus at the moment is understanding the exploit, determining how to mitigate it, and establishing communication with the hacker.
So, how did the exploit occur? Preliminary reports indicate that the attacker manipulated the price oracle of a collateral pool to siphon off funds from Sturdy Finance. The BlockSec team, in a postmortem report shared on Twitter, identified the attack as a “typical Balancer’s read-only reentrancy” attack. This type of attack occurs when a smart contract function interacts with another contract, and that contract calls back to the first one before completing its execution.
In this specific case, the attacker repeatedly called the B-stETH-STABLE pool before previous transactions could be executed, causing the pool’s price oracle to malfunction and display a three-fold increase in value. The attacker had initially used B-stETH-STABLE as collateral to borrow on Sturdy Finance. As the price of the collateral increased, the attacker withdrew the inflated amount from Sturdy’s pool. Consequently, the true value of their collateral was only one-third of the inflated amount, enabling the hacker to profit from the difference. To carry out the attack, the attacker utilized a flash loan from Aave, obtaining 50,000 wstETH and 60,000 WETH, valued at approximately $191 million.
PeckShield also reported that the exploiters utilized Tornado Cash, an Ethereum mixer designed to enhance transaction privacy by obfuscating the connection between sender and recipient addresses, to move the stolen funds. It is worth noting that the U.S. government had previously sanctioned Tornado Cash due to its use by the North Korean hacking group Lazarus.
Sturdy Finance is currently working to resolve the exploit, strengthen its security measures, and ensure the safety of user funds.