Exploiters on Monday hacked lending protocol Sturdy Finance, making off with 442 ETH, worth around $800,00. The hackers manipulated a faulty price oracle after dictating a balancer’s read-only reentrancy, enabling them to loot the protocol.
Sturdy Hacked
The hackers utilized the reentrancy exploit method, a trick famous in decentralized finance (DeFi) exploitations. According to smart contract auditor BlockSec, the exploiters borrowed 50,000 wsETH and 60,000 WETH as a flashloan from Aave, which they used as collateral to borrow 513 WETH from Sturdy.
The hackers then manipulated the protocol, allowing the attackers to withdraw both the collateral and the 513 WETH borrowed from Sturdy. Afterward, the hackers repaid the flash loan borrowed from Aave and transferred the profits to the Tornado cash mixer.
DeFi hackers have continued to take advantage of the vulnerability of the price oracle. The oracle connects blockchains to external systems, allowing the execution of smart contracts depending on real-world inputs and outputs. As important as it is, hackers have made it a primary target for manipulation as they inject wrong information into it, producing erroneous results.
Sturdy Halts Operations
Sturdy Finance halted its operations after confirming the attack. The protocol stated that it stopped the market to prevent further exploits while assuring users that other funds were safe.
“All markets have been paused; no additional funds are at risk, and no user actions are required at this time. We will be sharing more information as soon as we have it,” the Sturdy team stated.
Based in Menlo Park, California, Sturdy Finance raised $3.9 million in fundraising for what it termed “a new kind of lending protocol.” The protocol offers interest-free borrowing and high-yielding lending.
DeFi exploits are on the rise and account for more than 70% of all crypto hacks in recent times. Protocols like Euler, Level, and Jimbos have all been exploited recently, with almost $210 million stolen from them combined.
