Sturdy Finance Loses $800K to DeFi Exploit
Summary
On June 12, 2023, Sturdy Finance, a DeFi protocol on the Ethereum blockchain known for its lending and borrowing services, was compromised in a security breach. Attackers exploited a vulnerability in the protocol’s price oracle, combined with a read-only reentrancy flaw, orchestrating a theft of approximately $800,000.
Attackers
The identity of the hackers who attacked Multichain is unknown.
Hacker Ethereum Wallet:
0x1E8419E724d51E87f78E222D935fbbdeb631a08B
Losses
Timeline
- June 12, 2023, 01:06:35 AM UTC: The malicious transaction occurred.
- June 12, 2023, 01:08:23 AM UTC: The attacker began sending stolen funds to Tornado Cash.
- June 12, 2023, 09:19 AM UTC: Sturdy Finance team announced about the hack.
- June 12, 2023, 08:25:35 PM UTC: Sturdy Finance communicated with the hacker, proposing a deal to recover the stolen assets in exchange for a $100,000 reward, alongside a promise of no legal action.
- June 20, 2023: Immunebytes published a detailed analysis of the incident.
- July 1, 2023: Sturdy Finance published exploit Post-Mortem.
Security Failure Causes
- Smart Contract Vulnerability: The initial vulnerability that enabled the hack was a read-only reentrancy flaw within the smart contract system. This vulnerability allowed attackers to re-enter certain functions within the contract without proper access control or limitations, enabling them to exploit the contract’s functions maliciously.
- Flash Loans Exploitation: The attackers initiated their scheme by obtaining a significant flash loan, a large amount of cryptocurrency borrowed and repaid within a single transaction. This loan provided the capital to manipulate market conditions in their favor without requiring any collateral, exploiting the protocol’s mechanisms for borrowing and lending.
- Price Oracle Manipulation: Central to the attack was the manipulation of a faulty price oracle related to the Balancer’s B-stETH-STABLE pool. By artificially inflating the price of the sBTC-WBTC liquidity provider tokens, the attackers deceived the protocol into misvaluing the collateral, allowing them to borrow against an inflated collateral value and subsequently extract profits by reversing the manipulation, thus exploiting the discrepancy between the manipulated and actual market values.