$61,591.00
-2.10%$2,894.54
-2.48%$6.60
-1.81%$573.17
-3.79%$144.15
-1.29%$0.999746
-0.07%$0.503116
-0.60%$2,892.16
-2.57%$6.69
-7.96%$0.148876
-1.20%$0.431406
-3.31%$0.0000233
-3.75%$32.18
-3.09%$0.125038
-0.79%$61,600.00
-1.86%$432.40
-2.17%$13.24
-2.13%$7.00
-3.62%$0.654618
-2.63%$79.44
-2.72%$11.84
-0.47%$5.91
-0.79%$6.89
-2.78%$2.03
-4.95%$0.00001072
11.63%$10.10
-10.41%$1.00
0.03%$0.106268
-3.93%$25.53
-3.88%$7.91
-4.15%$0.122788
-1.84%$8.25
-3.50%$2,999.77
-2.67%$0.958304
-3.52%$2.07
-3.75%$2.98
-3.74%$5.43
-3.97%$0.102426
-2.24%$49.03
-0.96%$1.95
-4.61%$2,844.84
-2.63%$0.115533
-2.25%$2.46
-2.35%$0.267976
-4.69%$0.956493
-3.56%$38.34
-5.22%$2,676.72
-2.40%$133.76
-0.60%$0.03329514
-2.15%$0.999633
-0.35%$340.31
-6.99%$0.912339
-7.32%$21.65
-6.28%$1.94
-3.59%$0.00019847
5.75%$5.60
-6.78%$0.654077
-4.54%$3,205.95
-2.50%$0.00002372
-3.16%$8.43
-7.03%$1.65
-6.78%$1.05
-2.33%$0.04011795
-4.56%$1.05
-3.12%$9.82
-0.77%$0.172934
-3.05%$1.58
-6.50%$2,972.21
-2.80%$92.53
-3.36%$0.462949
-5.79%$0.82688
-3.54%$81.12
-3.40%$5.11
-3.79%$59.91
-3.78%$0.00000116
-1.48%$0.851096
-4.70%$0.02191977
-3.75%$5.06
-13.45%$0.750122
-3.77%$0.02628114
-5.62%$18.52
-1.33%$1.88
-6.76%$8.04
-0.82%$14.60
-3.87%$0.719551
-8.82%$0.113946
-5.21%$37.46
-3.57%$0.0197872
-3.83%$1.004
-3.49%$6.70
-3.26%$0.526544
-7.86%$11.76
0.05%$0.411186
-2.70%$9.66
-2.06%$0.00004629
-0.44%$0.01832135
1.13%$0.768633
-1.27%$170.97
-1.31%$0.876947
-1.98%$0.774429
-4.98%$1.15
-3.54%$1.95
1.35%$0.749819
-4.64%$0.202174
-4.05%$2.51
-3.32%$2.39
-4.57%$4.72
-1.74%$2,892.91
-2.22%$36.57
-2.81%$0.01099459
0.65%$0.405237
-1.34%$2,911.43
-2.31%$0.997057
-0.18%$1.15
-3.47%$277.41
-3.22%$0.626742
-0.67%$1.21
-2.46%$11.80
-5.89%$172.68
-0.07%$0.205361
-1.44%$2.52
-3.56%$0.0148713
-4.84%$0.995889
-0.45%$0.415919
-3.36%$0.93897
-6.25%$1.95
-0.24%$3.91
-2.82%$0.00010354
-1.50%$0.09144
-5.80%$0.164436
-2.34%$0.71446
1.86%$2,884.68
-1.78%$2,353.99
0.41%$32.70
-2.22%$3,049.86
-2.58%$0.856278
-4.66%$0.00000026
-1.61%$14.17
-6.17%$17.15
1.81%$0.081899
-3.79%$0.342285
-7.36%$3,091.90
-2.57%$1.48
-3.26%$0.788448
-4.01%$0.508526
-4.49%$0.996936
-0.25%$1.89
-6.55%$0.520465
3.78%$0.03641123
-1.07%$78.32
-4.29%$2.30
-6.30%$0.411406
-2.85%$0.261326
-4.32%$4.88
-0.26%$0.084337
-4.65%$0.00000048
-1.75%$3.87
-1.13%$3,127.39
-2.69%$0.04308008
-3.12%$0.02449084
-1.80%$0.266673
-2.17%$0.04630069
-4.54%$2.57
-9.49%$1.04
-2.68%$2,333.84
0.09%$13.67
-1.79%$0.04203409
-2.49%$0.360732
-0.56%$0.205893
-2.49%$0.279047
-0.81%$0.02206936
-3.32%$0.888269
-10.70%$8.60
0.64%$1.52
-4.74%$0.294348
-4.28%$0.897937
-4.66%$0.00115368
-5.11%$0.731962
-5.10%$0.00700108
-1.01%$1.56
-4.26%$19.12
-4.96%$0.563337
-3.69%$0.366438
-6.26%$0.00668175
-0.27%$0.02756889
-2.94%$0.00214775
-3.23%$0.449399
-2.08%$3.32
-7.46%$0.815802
-1.25%$0.997777
-0.25%$4.47
-5.05%$0.509516
-1.74%$1,238.38
-1.79%$1.56
-0.62%$3.49
-1.80%$2,967.90
-2.83%$53.05
-3.70%$3.12
-3.80%$3.73
29.28%$0.068414
-3.07%$0.689122
1.51%$3.14
-5.54%$0.226282
-2.23%$22.24
-0.04%$0.03452607
-2.55%$27.75
-1.54%$0.421034
-0.27%$0.02706034
-3.38%$4.07
-1.52%$0.03529766
-0.12%$58.08
-2.67%$4.84
-1.97%$30.65
-3.24%$0.781099
-5.67%$55.20
-2.94%$122.87
-5.74%$0.03135072
-1.92%$0.245843
-0.93%$3.13
-3.38%$0.00590029
-2.49%$3.68
-9.74%$0.685048
-1.99%$7.33
-2.56%$0.847211
-2.28%$2.06
3.17%$0.0009326
13.61%$17.79
-4.09%$1.96
-2.55%$0.00026584
-10.76%$3.75
-4.43%$0.738145
-6.17%$0.00307411
-13.25%$0.03207498
-7.12%$0.00349387
-4.68%$28.30
2.13%$0.296592
-6.71%$0.298645
-7.21%$0.34313
-6.07%$1.42
4.27%$2.21
-3.47%$28.11
-0.70%$0.244222
-3.83%$3,027.43
-2.86%$0.689097
1.38%$0.792861
-0.93%$34.85
-2.44%$62.29
-2.23%$37.13
-2.13%
DeFi lending protocol Sturdy Finance has been hit by an exploit that drained 442 ETH (worth around $768,800) from the platform.
The exploit was highlighted by blockchain security firms like PeckShield and BlockSec; the Sturdy Finance team acknowledged the hack and paused activity on the DeFi platform as they investigated the issue.
The protocol enables borrowing against liquidity provider (LP) tokens from exchanges like Curve and Balancer as collateral. The decentralized application offers two lending markets—Ethereum and dollar-pegged stablecoins.
Sturdy Finance core team member pgpsam noted in the project’s Discord channel that "from our investigation so far the stablecoin market is unaffected."
We are aware of the reported exploit of the Sturdy protocol. All markets have been paused; no additional funds are at risk and no user actions are required at this time.
We will be sharing more information as soon as we have it.
— Sturdy 🧱 (@SturdyFinance) June 12, 2023
However, while activity remains paused, stablecoin and ETH users cannot withdraw from Sturdy's pools.
Pgpsam added, "Our priority right now is understanding the exploit/how to mitigate it and communication with the hacker."
Initial reports indicate that the attacker manipulated the price oracle of a collateral pool and siphoned off funds from Sturdy.
The BlockSec team reported the attack's postmortem report on Twitter this morning, noting that it was a "typical Balancer's read-only reentrancy" attack.
A re-entrancy attack happens when a smart contract function interacts with another contract, and that other contract calls back to the first contract before it has finished its execution.
In this case, the attacker repeatedly called the B-stETH-STABLE pool before previous transactions were executed, causing the pool's price oracle to malfunction and reflect a three-fold increase.
The attacker had used B-stETH-STABLE as collateral to borrow on Sturdy. As its price increased, the attacker withdrew collateral from Sturdy's pool. At this point, the actual value of their collateral is one-third of its inflated amount, allowing the hacker to benefit from the difference.
The attacker took a flash loan from Aave of 50,000 wstETH and 60,000 WETH (worth around $191 million) to conduct the attack.
PeckShield reported that the exploiters moved the stolen funds via Tornado Cash, an Ethereum mixer that adds a layer of privacy in transactions by obscuring the link between the sender and the recipient addresses.
The U.S. government sanctioned Tornado Cash last year due to its use by the North Korean hacking group Lazarus.
