Sturdy Finance Hack: $800K Ethereum Loss In Security Breach
Decentralized lending platform Sturdy Finance recently suffered a major security breach that resulted in the loss of approximately $800,000 worth of ether (ETH). The attack, carried out by an unidentified individual, exploited a reentrancy vulnerability within the system, manipulating a flawed price oracle and draining funds from the platform.
We are aware of the reported exploit of the Sturdy protocol. All markets have been paused; no additional funds are at risk and no user actions are required at this time.
We will be sharing more information as soon as we have it.
— Sturdy 🧱 (@SturdyFinance) June 12, 2023
Reentrancy Vulnerability in Balancer System
This incident sheds light on the inherent vulnerabilities present in decentralized finance (DeFi) applications, where price oracles play a critical role in providing real-world price data. However, they can also become attractive targets for hackers seeking to exploit weaknesses and compromise platform security.
BlockSec, a cybersecurity firm, conducted a detailed analysis of the breach and traced its root cause to a reentrancy vulnerability in Balancer’s system, combined with the manipulation of B-stETH-STABLE price data. The attacker leveraged this vulnerability to repeatedly call a function within a single transaction, ultimately withdrawing more funds than authorized. By gaining control over the function calls, the attacker successfully manipulated the price oracle, draining funds from Sturdy Finance.
Responding promptly to the breach, Sturdy Finance immediately suspended all of its markets to prevent further potential losses. The platform’s team assured users that no additional funds were at risk and that no immediate action was required on their part.
Safeguarding DeFi
Further investigation revealed that the attacker employed the Tornado Cash mixer, a privacy-enhancing tool that added an extra layer of complexity, making it challenging to trace the attacker’s transactions on the blockchain.
This security breach serves as a stark reminder of the constant threats faced by DeFi platforms. Just days before, on June 4, crypto wallet provider Atomic Wallet fell victim to a significant hack resulting in the theft of approximately $35 million worth of cryptocurrencies, including bitcoin, ether, tether, dogecoin, litecoin, BNB coin, and polygon.
These incidents underscore the critical need for robust security measures and continued vigilance within the DeFi ecosystem. As the popularity of decentralized finance grows, it becomes increasingly crucial for platforms to proactively address vulnerabilities and enhance their security frameworks to protect user assets from malicious actors.
