Join Our Telegram channel to stay up to date on breaking news coverage
The crypto industry saw another major hack recently, and this time, the target was a decentralized lending protocol, Sturdy Finance.
The project suffered a security attack that robbed it of 442 ETH, or approximately $800,000.
At this time, the attacker is still not identified, but it is known that they took advantage of a reentrancy vulnerability.
They then proceeded to manipulate a faulty price oracle, which allowed them to steal the funds.
What did the attacker do?
Price oracles play a major role in decentralized finance, providing real-time price data for digital assets.
However, online criminals can also exploit them should they manage to find a vulnerability that can be exploited.
This happened to Sturdy Finance, as the project suffered a reentrancy attack, a method commonly used for illicit withdrawal of funds from DeFi protocols.
The attack essentially misuses the ability to call a function repeatedly within a single transaction before the first function call gets completed.
That way, they get to withdraw more funds than they are supposed to.
After the attacker realized that they could manipulate function calls in such a way, they exploited the price oracle derived from a special read-only smart contract that Sturdy Finance uses.
The oracle was created to determine the accuracy of the market value of assets stored in a liquidity pool that the project’s team manages on the Balancer DEX.
In doing so, the oracle facilitates the trading of staked ETH. However, by exploiting it, the attacker managed to drain funds from Sturdy, as explained by a security company BlockSec.
1/ @SturdyFinance was attacked and the loss is ~442 ETH. The root cause is due to the typical Balancer’s read-only reentrancy, while the price of B-stETH-STABLE was manipulated! pic.twitter.com/5l9mVfhpQN
— BlockSec (@BlockSecTeam) June 12, 2023
The security company noted that “the root cause is due to the typical Balancer’s read-only reentrancy, while the price of B-stETH-STABLE was manipulated.”
2/ The attack tx (https://t.co/XdAhTpE6aS) consists of the following attack steps. pic.twitter.com/EvZhYpWPDO
— BlockSec (@BlockSecTeam) June 12, 2023
Sturdy Finance froze the markets to prevent further losses
After realizing it was under attack, Sturdy Finance reacted by suspending all markets to prevent further exploits and even greater losses. It also assured the users that no other funds were endangered during the breach. The team stressed that All markets have been paused, no additional funds are at risk, and no user actions are required at this time. We will be sharing more information as soon as we have it..”
Following the attack, many have started using block explorers to try and track down the attacker.
However, the on-chain data revealed that the attacker had already used Tornado Cash mixer to hide the coins and likely split the amount they stole into multiple transactions so that they would get lost in the traffic.
As for Sturdy Finance itself, it managed to raise $3 million last year in a series of rounds. Its goal was to create an interest-free borrowing and lending platform.
The funding rounds were led by Pantera, with other major participants, including SoftBank’s Opportunity Fund, KuCoin Ventures, and Y Combinator.
Related
- Atomic Wallet Hack Connected to North Korean Hacking Group Lazurus
- Cryptocurrency Hacks Show Decline and Changing Dynamics – Insights from TRM Labs
- Major Data Breach Exposes BA, BBC and Boots to File Transfer Hack: What You Need to Know
Most Searched Crypto Launch - Pepe Unchained
- Layer 2 Meme Coin Ecosystem
- Featured in Cointelegraph
- SolidProof & Coinsult Audited
- Staking Rewards - pepeunchained.com
- $40+ Million Raised at ICO - Ends December
Join Our Telegram channel to stay up to date on breaking news coverage