Sturdy Finance, a decentralized lending protocol, experienced a significant security breach today, resulting in a loss of 442 ether, equivalent to approximately $800,000. The attack was carried out by an unknown individual who exploited a reentrancy vulnerability within the system, enabling them to manipulate a faulty price oracle and siphon off funds.
In decentralized finance (DeFi) applications like Sturdy Finance, price oracles play a crucial role by providing real-world price data. However, they can also serve as a prime target for hackers seeking to exploit vulnerabilities and compromise the security of the platform.
The attack on Sturdy Finance began with a reentrancy attack, a method commonly employed to fraudulently withdraw funds from DeFi protocols. This type of attack takes advantage of the ability to call a function repeatedly within a single transaction before the original function call is completed. By leveraging this loophole, the attacker was able to withdraw more funds than they were legitimately entitled to.
Sturdy Finance security breach
Once the attacker gained control over the function calls, they proceeded to exploit the price oracle. Sturdy Finance relied on a separate “read-only” smart contract to derive its price oracle, which was responsible for accurately determining the market value of assets in a liquidity pool managed by the protocol on the Balancer decentralized exchange. However, the attacker successfully manipulated the oracle, allowing them to drain funds from Sturdy Finance.
BlockSec, a security firm, identified the root cause of the breach as the typical reentrancy vulnerability in Balancer’s system, combined with the manipulation of the price of B-stETH-STABLE.
In response to the attack, Sturdy Finance took immediate action by suspending all of its markets to prevent further potential losses. The team assured users that no additional funds were at risk and that no immediate action was required from the users. They pledged to provide more information as soon as it became available.
Following the attack, on-chain data revealed that the attacker utilized the Tornado Cash mixer to obfuscate their activities. This mixer is a tool used to enhance privacy and make it difficult to trace transactions on the blockchain.
The incident highlights the ongoing challenges and risks associated with decentralized finance and the importance of robust security measures. Sturdy Finance’s swift response in suspending the markets demonstrates its commitment to protecting user funds and mitigating potential losses. As the investigation unfolds, it is hoped that further insights will be gained to prevent similar attacks in the future and strengthen the overall security of decentralized lending protocols.