DeFi lending protocol Sturdy Finance has been hit by an exploit that drained 442 ETH (worth around $768,800) from the platform.

The exploit was highlighted by blockchain security firms like PeckShield and BlockSec; the Sturdy Finance team acknowledged the hack and paused activity on the DeFi platform as they investigated the issue. 

The protocol enables borrowing against liquidity provider (LP) tokens from exchanges like Curve and Balancer as collateral. The decentralized application offers two lending markets—Ethereum and dollar-pegged stablecoins.

Sturdy Finance core team member pgpsam noted in the project’s Discord channel that "from our investigation so far the stablecoin market is unaffected."

However, while activity remains paused, stablecoin and ETH users cannot withdraw from Sturdy's pools.

Pgpsam added, "Our priority right now is understanding the exploit/how to mitigate it and communication with the hacker." 

How did the exploit happen? 

Initial reports indicate that the attacker manipulated the price oracle of a collateral pool and siphoned off funds from Sturdy. 

The BlockSec team reported the attack's postmortem report on Twitter this morning, noting that it was a "typical Balancer's read-only reentrancy" attack. 

A re-entrancy attack happens when a smart contract function interacts with another contract, and that other contract calls back to the first contract before it has finished its execution.

In this case, the attacker repeatedly called the B-stETH-STABLE pool before previous transactions were executed, causing the pool's price oracle to malfunction and reflect a three-fold increase. 

The attacker had used B-stETH-STABLE as collateral to borrow on Sturdy. As its price increased, the attacker withdrew collateral from Sturdy's pool. At this point, the actual value of their collateral is one-third of its inflated amount, allowing the hacker to benefit from the difference. 

The attacker took a flash loan from Aave of 50,000 wstETH and 60,000 WETH (worth around $191 million) to conduct the attack. 

PeckShield reported that the exploiters moved the stolen funds via Tornado Cash, an Ethereum mixer that adds a layer of privacy in transactions by obscuring the link between the sender and the recipient addresses.

The U.S. government sanctioned Tornado Cash last year due to its use by the North Korean hacking group Lazarus.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.