Sturdy Finance – a DeFi project promising up to 10x leverage on staked assets – has been exploited by a hit-and-run attack on its pricing oracle.
Although the amount stolen (worth about $800k at the time this article was written) pales in comparison to other, more high-profile attacks like the one on Atomic Wallet users just last week, it also ensures that laundering the profits will not be nearly as hard as it is for cybercriminals who have made off with much bigger takings.
Price Manipulation
The attack on Sturdy Finance was carried out via reentrancy exploit, a common method of attacking DeFi projects that entails repeatedly calling a function in a smart contract before the original call is completed.
In order to attack Sturdy Finance, the hacker first established the vulnerability of the protocol’s price oracle – the part of Sturdy’s ecosystem that determines the current value of assets to be used in trading and loans – to reentrancy exploits. Once the vulnerability was established, a flashloan from AAVE provided the liquidity necessary for the attack.
This allows the bad actor to withdraw more funds than the smart contract should allow them to. In this case, the price of staked Ether (stETH) was manipulated three times in a row in order to enable the bad actor to withdraw more than the loan should allow them to, pay off the original loan, and cash out the extra funds. This process was then repeated on five occasions, each time using a different smart contract.
2/ The attack tx (https://t.co/XdAhTpE6aS) consists of the following attack steps. pic.twitter.com/EvZhYpWPDO
— BlockSec (@BlockSecTeam) June 12, 2023
The exploit resulted in a loss of 442 ETH for Sturdy, a takeaway already on its way to Tornado Cash.
Post-Mortem in Progress
The security team at Sturdy confirmed that the exploit has been noted, and their operations have been paused for the moment to conduct a proper post-mortem. The team also asserted that no other funds are currently at risk of being stolen.
“We are aware of the reported exploit of the Sturdy protocol. All markets have been paused; no additional funds are at risk, and no user actions are required at this time. We will be sharing more information as soon as we have it.”
Sturdy’s community is understandably upset at the news, with some users proclaiming disbelief that attacks typical of the 2017 shitcoin boom era are still happening today.