DeFi Lending Platform Sturdy Finance Falls Victim to Exploit, Losing Over $750K

DeFi lending platform Sturdy Finance has fallen victim to an exploit that resulted in the loss of 442 ETH, equivalent to approximately $768,800. The exploit was brought to light by blockchain security firms PeckShield and BlockSec, prompting Sturdy Finance to acknowledge the hack and temporarily suspend operations on the platform while conducting an investigation. Sturdy Finance operates as a decentralized lending protocol, allowing users to borrow against liquidity provider (LP) tokens from exchanges such as Curve and Balancer, using them as collateral. The platform offers two lending markets: one for Ethereum and another for dollar-pegged stablecoins.

Sturdy Finance Investigates Exploit, Stablecoin Market Unaffected

During the investigation, a core team member of Sturdy Finance, pgpsam, noted on the project’s Discord channel that their findings suggested the stablecoin market remained unaffected by the exploit. However, as activity on the platform remains paused, users holding stablecoins and ETH are currently unable to withdraw from Sturdy’s pools. The team’s immediate focus lies in understanding the nature of the exploit, devising strategies to mitigate its impact, and establishing communication channels with the attacker. Their primary concern is to regain control and minimize the damage caused. The exploit seems to have involved the manipulation of a collateral pool’s price oracle, allowing the attacker to drain funds from Sturdy Finance. Reports from BlockSec describe the attack as a “typical Balancer’s read-only reentrancy” attack. In such cases, a smart contract function interacts with another contract, and that contract calls back to the first contract before its execution is complete.

In this specific incident, the attacker repeatedly called the B-stETH-STABLE pool before previous transactions could be executed, causing the price oracle of the pool to malfunction and reflect a three-fold increase. Taking advantage of this price inflation, the attacker withdrew collateral from Sturdy’s pool, effectively benefiting from the inflated value. However, the actual value of the collateral was only one-third of the manipulated amount, allowing the hacker to profit from the discrepancy.

Disclaimer: This article was created for informational purposes only and should not be taken as investment advice. An asset’s past performance does not predict its future returns. Before making an investment, please conduct your own research, as digital assets like cryptocurrencies are highly risky and volatile financial instruments. This is a news article only. 

Leave a Reply