Sturdy Finance lost about $770,000 in the attack

DeFi landing protocol Sturdy Finance was the victim of an attack that resulted in the loss of ~442 ​​ETH (approximately $770,000 at the time of writing).

1/ @SturdyFinance was attacked and the loss is ~442 ​​ETH. The root cause is due to the typical Balancer’s read-only reentrancy, while the price of B-stETH-STABLE was manipulated! pic.twitter.com/5l9mVfhpQN

— BlockSec (@BlockSecTeam) June 12, 2023

According to BlockSec, an unknown person took advantage of a re-entry error on Balancer and manipulation of the price oracle to change the price of B-stETH-STABLE.

According to experts, the sequence of actions of the hacker was as follows:

1. Received a flash loan on Aave in the amount of 50,000 wstETH and 60,000 WETH.
2. Contributed 1100 ETH to the pool to issue 1023 steSRV.
3. Added 50,000 wstETH and 57,000 WETH to the B-stETH-STABLE pool on Balancer to issue 109,517 tokens.
4. Deposited as collateral in Sturdy 1000 steSRV and 233 B-stETH-STABLE.
5. Borrowed under this pledge 513 WETH.
6. Through the manipulation of the oracle, he raised the price of B-stETH-STABLE so much that 1000 steSRV was no longer needed as collateral and withdrew the assets.
7. After the B-stETH-STABLE price returned to normal values, it liquidated the debt position for 236 WETH, calling 233 B-stETH-STABLE.
8. The attacker repeated steps 3-7 with five different contracts.
9. Repaid the flash loan on Aave and fixed the profit from the attack.

The Sturdy Finance team confirmed the incident and promised to share information later.

“We are aware of the discovered protocol vulnerability. All markets are suspended, there is currently no additional risk to funds, no action is required from users, ”the developers said.

We are aware of the reported exploit of the Sturdy protocol. All markets have been paused; no additional funds are at risk and no user actions are required at this time.

We will be sharing more information as soon as we have it.

— Sturdy 🧱 (@SturdyFinance) June 12, 2023

A number of users in the comments reported that they could not withdraw funds from the protocol.

On-chain data shows that the attacker, Sturdy Finance, sent the withdrawn funds to the Tornado Cash mixing service.

Recall that on May 20, an unknown person seized control of the Ethereum mixer. A day later, he unexpectedly submitted a proposal to the DAO for consideration, the implementation of which rolled back the changes made and returned control of the protocol to holders of the TORN token.

The proposal was supported by 100% of those who took part in the vote, and the unknown person fulfilled his promise by returning control to the DAO.

Found a mistake in the text? Select it and press CTRL+ENTER