$800K lost following Sturdy Finance security breach

Decentralized lending platform Sturdy Finance suffered a serious security breach earlier today that cost it 442 Ethereum (ETH), worth about $800,000. An unidentified hacker launched the attack, taking advantage of the system’s reentrancy vulnerability to control a flawed price oracle and steal money.

Essentially, price oracles play a crucial role in decentralized finance (DeFi) applications like Sturdy Finance by providing actual price data. However, they can also be a top target for hackers looking to take advantage of flaws and jeopardize the platform’s security.

How the Study Finance attack was orchestrated

Reentrancy attacks, which are frequently used to fraudulently withdraw money from DeFi protocols, were used to launch the attack on Sturdy Finance. This kind of attack makes use of the capability to make multiple calls to the same function within a single transaction before the initial function call has finished. The attacker was able to withdraw more money than they were legally allowed to by taking advantage of this flaw.

The attacker then used their control over the function calls to take advantage of the price oracle. Sturdy Finance derived its price oracle from a separate “read-only” smart contract, which was in charge of accurately estimating the market value of assets in a liquidity pool run by the Balancer protocol. The attacker, however, was successful in manipulating the oracle, allowing them to steal funds from Study Finance.

Security Company BlockSec identified the root cause of the breach as the typical reentrancy vulnerability in Balancer’s system, combined with the manipulation of the price of B-stETH-STABLE.

According to on-chain data, the attacker then went ahead to use the embattled Tornado Cash mixer to obfuscate their activities.

Sturdy Finance responded to the attack right away by suspending all of its markets in order to limit potential losses. Users received assurances from the team that no additional funds were in danger and that no immediate action was needed on their part. They promised to share more details as soon as they were made available.

The post $800K lost following Sturdy Finance security breach appeared first on Invezz.