Sturdy Finance loses about $770,000 in attack

The lending DeFi protocol Sturdy Finance was attacked, resulting in a loss of roughly 442 ETH (about $770,000 at the time of writing).

1/ @SturdyFinance was attacked and the loss is ~442 ETH. The root cause is due to the typical Balancer’s read-only reentrancy, while the price of B-stETH-STABLE was manipulated! pic.twitter.com/5l9mVfhpQN

— BlockSec (@BlockSecTeam) June 12, 2023

According to BlockSec specialists, the attacker exploited a Balancer read-only reentrancy vulnerability and manipulated the price oracle to alter the price of B-stETH-STABLE.

According to experts, the hacker’s sequence of actions was as follows:

1. Obtained a flash loan on Aave for 50,000 wstETH and 60,000 WETH.
2. Deposited 1,100 ETH into the pool to mint 1,023 steSRV.
3. Added 50,000 wstETH and 57,000 WETH to the Balancer pool B-stETH-STABLE to mint 109,517 tokens.
4. Deposited as collateral in Sturdy 1,000 steSRV and 233 B-stETH-STABLE.
5. Borrowed 513 WETH against this collateral.
6. Through oracle manipulation, inflated the price of B-stETH-STABLE to the extent that 1,000 steSRV were no longer needed as collateral, and withdrew the assets.
7. After the price of B-stETH-STABLE returned to normal, liquidated the debt position for 236 WETH, withdrawing 233 B-stETH-STABLE.
8. The attacker repeated steps 3–7 across five different contracts.
9. Repayed the flash loan on Aave and secured profits from the attack.

The Sturdy Finance team confirmed the incident and said it would share information later.

«We are aware of the vulnerability discovered in the protocol. All markets have been paused; at this time there is no additional risk to funds, and no user action is required,» the developers said.

We are aware of the reported exploit of the Sturdy protocol. All markets have been paused; no additional funds are at risk and no user actions are required at this time.

We will be sharing more information as soon as we have it.

— Sturdy ? (@SturdyFinance) June 12, 2023

Some users reported in comments that they could not withdraw funds from the protocol.

show that the attacker sent the withdrawn funds to the Tornado Cash mixer.

On May 20, an unknown seized control of the Ethereum mixer. The next day he unexpectedly submitted to the DAO for consideration a proposal whose implementation rolled back the changes and returned protocol control to the TORN token holders.

The proposal was supported by 100% of those participating in the vote, and the unknown attacker fulfilled the promise, returning control to the DAO.