$800K in ETH drained after Sturdy Finance falls to hack
Decentralized Finance Protocol Sturdy Finance has lost 442 Ether because of a security flaw, with the full amount valued at over $800,000. The hacker took advantage of a loophole to manipulate a flawed price oracle, which ultimately allowed him to siphon money from the protocol.
The blockchain security company PeckShield informed Sturdy Finance of a transaction that appeared to be connected to price manipulation on June 12. After learning of the attack a little over an hour later, the DeFi protocol responded by stopping all of its markets and assured its customers that no additional funds are at risk.
We are aware of the reported exploit of the Sturdy protocol. All markets have been paused; no additional funds are at risk and no user actions are required at this time.
We will be sharing more information as soon as we have it.
— Sturdy ? (@SturdyFinance) June 12, 2023
Pricing oracles play a significant role in decentralized finance (DeFi) applications like Sturdy Finance by giving actual pricing data. However, they can also be a top target for hackers looking to take advantage of flaws while also jeopardising the platform’s security.
Quick reactions couldn’t save $800K
PeckShield revealed that the attacker was able to move about $800,000 in ETH to the cryptocurrency mixer Tornado Cash, despite a prompt response from the DeFi lending network. The security company added that a flawed price oracle was the exploit’s “root cause”.
Reentrancy attacks, which are frequently used to fraudulently withdraw money via DeFi protocols, were used to launch the attack on Sturdy Finance. This kind of attack makes use of the capability to make many calls to the same function within a single transaction before the initial function call has finished.
The attacker was able to extract more money than they were legally allowed to by taking advantage of this flaw.
The attacker then used their control over the function calls to take advantage of the pricing oracle. Sturdy Finance derived its price oracle from a second “read-only” smart contract, which was in charge of reliably estimating the market value of assets in a liquidity pool run by Balancer protocol. However, the attacker was able to siphon money from Sturdy Finance by successfully manipulating the oracle.
The blockchain security firm BlockSec also emphasized that the hack was carried out using a reentrancy attack, which is a typical technique hackers employ to take money through DeFi protocols.
Eight prominent members of the cryptocurrency community’s Twitter accounts were taken over by scammers recently, who used them to spread their con schemes. Blockchain sleuth ZachXBT claims that after hacking the accounts of well-known DJ Steve Aoki, Pudgy Penguins entrepreneur Cole Villemain, and even crypto-critic Peter Schiff, hackers took approximately $1 million in cryptocurrencies.
The incident serves as a reminder of the ongoing difficulties and dangers of decentralized money, as well as the value of strong security measures.