Attacker drains $800K from DeFi protocol Sturdy Finance
Lending platform Sturdy Finance responded by pausing all markets and assuring its community that no additional funds were at risk.
Decentralized finance (DeFi) protocol Sturdy Finance lost 442 Ether (ETH), worth almost $800,000 at the time of writing, from a security exploit. The attacker exploited a vulnerability that eventually manipulated a faulty price oracle, allowing them to drain funds from the protocol.
On June 12, blockchain security firm PeckShield alerted Sturdy Finance and reported a transaction that seemed to be related to price manipulation. Almost an hour later, the DeFi protocol said that they were aware of the exploit and responded by pausing all their markets and assuring its users that no additional funds were at risk.
We are aware of the reported exploit of the Sturdy protocol. All markets have been paused; no additional funds are at risk and no user actions are required at this time.
We will be sharing more information as soon as we have it.
— Sturdy (@SturdyFinance) June 12, 2023
Despite the swift response from the DeFi lending platform, PeckShield confirmed that the attacker was able to transfer almost $800,000 in ETH to the sanctioned crypto mixer Tornado Cash. The security firm also noted that the “root cause” of the exploit is a faulty price oracle.
In addition, the blockchain security company BlockSec highlighted that the hack was done through a reentrancy attack, a common method hackers use to withdraw funds from DeFi protocols.
1/ @SturdyFinance was attacked and the loss is ~442 ETH. The root cause is due to the typical Balancer's read-only reentrancy, while the price of B-stETH-STABLE was manipulated! pic.twitter.com/5l9mVfhpQN
— BlockSec (@BlockSecTeam) June 12, 2023
Through this method, hackers exploit the ability to repeatedly call a function in a single transaction before the initial function call is complete. With this, hackers will be able to withdraw more funds than they are allowed to take.
Related: Atomic Wallet hacker sends crypto to mixer used by Lazarus Group: Elliptic
Meanwhile, scammers were able to take control of eight Twitter accounts by prominent crypto community members and promoted crypto scams. According to blockchain detective ZachXBT, the scammers have stolen almost $1 million in crypto after taking control of the accounts of DJ Steve Aoki, Pudgy Penguins founder Cole Villemain and even crypto hater Peter Schiff.
In other news, the United States Justice Department has recently charged two men who are allegedly involved in the Mt. Gox hack. According to the department, 43-year-old Alexey Bilyuchenko and 29-year-old Aleksandr Verner allegedly stole and conspired to launder 647,000 Bitcoin (BTC).
Magazine: $3.4B of Bitcoin in a popcorn tin — The Silk Road hacker’s story