Sturdy Finance, a decentralized lending platform, experienced a significant security breach resulting in a loss of 442 Ethereum (ETH), valued at around $800,000. The attack, executed by an unidentified hacker, exploited the platform’s reentrancy vulnerability, a common method used to fraudulently withdraw funds from DeFi protocols. By taking advantage of flaws in the system, the attacker manipulated the price oracle, a crucial component providing real-time price data in decentralized finance applications like Sturdy Finance. The breach highlighted the vulnerability of DeFi platforms to sophisticated attacks, especially through reentrancy tactics that enable unauthorized fund withdrawals.
The attacker strategically used their control over function calls to manipulate the price oracle, which was derived from a separate “read-only” smart contract responsible for estimating the market value of assets in a Balancer protocol liquidity pool. The successful manipulation allowed the hacker to steal funds from Sturdy Finance. Security company BlockSec identified the root cause as the typical reentrancy vulnerability in Balancer’s system, combined with the manipulation of the price of B-stETH-STABLE. To obfuscate their activities, the attacker utilized the Tornado Cash mixer, as revealed by on-chain data.
In response to the breach, Sturdy Finance promptly suspended all its markets to limit potential losses, assuring users that no additional funds were at risk and no immediate action was required on their part. The platform pledged to share more details about the incident as they became available, emphasizing the ongoing need for robust security measures in the DeFi space. The attack serves as a reminder of the persistent challenges faced by decentralized financial platforms in safeguarding user funds against increasingly sophisticated cyber threats.
