Sturdy Finance, a decentralized credit protocol, has suffered a significant loss of approximately 442 ETH, equivalent to around $800,000, in an attack caused by a manipulated price oracle. The unidentified attacker exploited a security vulnerability, taking advantage of a reentrancy flaw and draining funds from the protocol.
442 ETH worth nearly $800,000 stolen in attack
Price oracles play a critical role in decentralized finance (DeFi) protocols as they provide real-world price data and are often targeted by attackers. In this case, the attacker initiated a reentrancy attack, a method frequently used to illicitly withdraw funds from DeFi protocols. This type of attack allows a function to be repeatedly executed within a single transaction before the original function call is completed, enabling the attacker to withdraw more funds than permitted.
The attacker capitalized on the ability to manipulate function calls and exploited the price oracle within Sturdy Finance. The oracle, designed to determine the accurate market value of assets in a liquidity pool managed by the decentralized exchange Balancer, facilitated the trading of staked ETH (stETH) within the protocol. However, according to security firm BlockSec, the attacker successfully emptied the funds in Sturdy Finance. BlockSec stated, “The root cause originates from the typical Balancer’s read-only decentralized contract while manipulating the price of B-stETH-STABLE.”
Sturdy Finance Markets Suspended
To prevent further potential losses, Sturdy Finance has temporarily suspended all markets. The team assures users that no additional funds are at risk, and no immediate user action is required. More information will be shared as it becomes available.
Chain data reveals that the attacker utilized the cryptocurrency mixer Tornado Cash to conceal their transactions following the attack.
Sturdy Finance previously raised $3 million in funding through multiple investment rounds in 2022 to establish an interest-free lending platform. Investors included Pantera Capital, Y Combinator, SoftBank’s Opportunity Fund, and KuCoin Ventures.