Lending protocol Sturdy Finance drained of $800,000 in security attack
Sturdy Finance, a decentralized lending protocol, fell victim to a security attack today, which led to a loss of 442 ether or about $800,000. The unknown attacker took advantage of a reentrancy vulnerability that later facilitated manipulation of a faulty price oracle, thereby enabling them to siphon off funds.
In decentralized finance (DeFi) applications, price oracles are pivotal as they provide real-world price data. However, they also represent a potential target for hackers who can exploit them for security breaches.
The attack on Sturdy Finance was initiated by a reentrancy attack, a method typically used to illicitly withdraw funds from DeFi protocols. This type of attack takes advantage of the ability to call a function repeatedly within a single transaction before the original function call is completed. This, in turn, allows the attacker to withdraw more funds than they would legitimately be entitled to.
After the attacker established the ability to manipulate the function calls, they then proceeded to exploit the price oracle. Sturdy Finance’s price oracle, derived from a separate “read-only” smart contract, was manipulated. This oracle was designed to determine the accurate market value of assets in a liquidity pool managed by Sturdy’s team on the Balancer decentralized exchange, thus facilitating the trading of staked ether (stETH). However, the exploitation of the oracle enabled the attacker to drain funds from Sturdy.
BlockSec, a security firm, stated, «The root cause is due to the typical Balancer’s read-only reentrancy, while the price of B-stETH-STABLE was manipulated.»
Sturdy pauses markets
Sturdy Finance reacted to the attack by suspending all of its markets to prevent further potential losses, assuring its users that no other funds were in danger as a result of the breach.
“All markets have been paused; no additional funds are at risk, and no user actions are required at this time,” said the team. “We will be sharing more information as soon as we have it.”
After the attack, on-chain data shows that the attacker used the Tornado Cash mixer to obscure the activity.
In 2022, Sturdy Finance raised $3 million in a series of rounds to construct an interest-free borrowing and lending platform. The funding was lead by Pantera and also saw participation from Y Combinator, SoftBank’s Opportunity Fund, and KuCoin Ventures.
Bitcoin 
Ethereum 
Tether 
USDC 
Dogecoin 
Cardano 
TRON 
Bitcoin Cash 
Chainlink 
Polygon 
Litecoin 
LEO Token 
Dai 
Ethereum Classic 
Hedera 
Cosmos Hub 
Cronos 
Stellar 
Stacks 
OKB 
VeChain 
Maker 
Monero 
Theta Network 
Algorand 
NEO 
Gate 
KuCoin 
EOS 
Tezos 
Synthetix Network 
IOTA 
Tether Gold 
Bitcoin Gold 
TrueUSD 
Enjin Coin 
Zilliqa 
Holo 
0x Protocol 
Ravencoin 
Siacoin 
Qtum 
Basic Attention 
Zcash 
Dash 
NEM 
Decred 
Ontology 
Lisk 
Waves 
ICON 
DigiByte 
Status 
Pax Dollar 
Nano 
Numeraire 
Steem 
Hive 
Huobi 
OMG Network 
BUSD 
Ren 
Bitcoin Diamond 
Bytom 
Kyber Network Crystal Legacy 
HUSD 
Energi 
Augur 