Sturdy Finance, a decentralized lending platform, lost $800,000 in a security breach on Saturday. An unidentified hacker exploited a reentrancy vulnerability and manipulated a faulty price oracle to drain funds from the Protocol.
Sturdy Finance, a decentralized lending platform, suffered a major security breach on Saturday, losing 442 ether (ETH), worth about $800,000 at the time of the attack.
Price oracles are essential components of decentralized finance (DeFi) applications like Sturdy Finance, as they provide real-world price data for a variety of assets. However, they can also be vulnerable to attacks if not implemented securely.
The unidentified hacker launched a reentrancy attack, a common method used to withdraw funds from DeFi protocols fraudulently.
The hacker could call a function multiple times within a single transaction before completing the original function call. By doing so, the hacker could withdraw more funds than they were entitled to.
The hacker manipulated the price oracle after gaining control over the function calls.
Sturdy Finance used a separate “read-only” smart contract to derive its price oracle, which determined the market value of assets in a liquidity pool managed by the Protocol on the Balancer decentralized exchange.
However, the hacker successfully tampered with the oracle, allowing them to siphon off funds from Sturdy Finance.
According to blockchain security firm BlockSec, the root cause of the breach was the typical reentrancy vulnerability in Balancer’s system, combined with the manipulation of the price of B-stETH-STABLE.
How the Protocol Responded to the Breach
Sturdy Finance responded swiftly to the attack by pausing its markets to prevent further losses. The team assured users not to worry about additional funds or take any immediate action. They promised to provide more information as soon as possible.
Following the attack, on-chain data revealed that the hacker used the Tornado Cash Mixer to conceal their activities. This aggregator is a tool used to enhance privacy and make it difficult to trace blockchain transactions.
The Implications for DeFi Security
The incident highlights the ongoing challenges and risks associated with DeFi and the significance of robust security measures. Sturdy Finance’s quick response in suspending the markets demonstrates its commitment to protecting user funds and mitigating potential losses.
As the investigation unfolds, it is anticipated that further insights will be gained to prevent similar attacks and strengthen the overall security of decentralized lending protocols.
