Attacker drains $800K from DeFi protocol Sturdy Finance
Decentralized finance (DeFi) protocol Sturdy Finance has lost 442 Ether (ETH), worth almost $800,000 when writing, to a security exploit. The attacker exploited a vulnerability that eventually manipulated a faulty price oracle, allowing them to drain funds from the protocol.
On June 12, blockchain security firm PeckShield alerted Sturdy Finance and reported a transaction that seemed to be related to price manipulation. Almost an hour later, the DeFi protocol said that they were aware of the exploit and responded by pausing all their markets and assuring its users that no additional funds were at risk.
We are aware of the reported exploit of the Sturdy protocol. All markets have been paused; no additional funds are at risk and no user actions are required at this time.
We will be sharing more information as soon as we have it.
— Sturdy (@SturdyFinance) June 12, 2023
Despite a swift response from the DeFi lending platform, PeckShield confirmed that the attacker was able to transfer almost $800,000 in ETH to the crypto mixer Tornado Cash. The security firm also noted that the “root cause” of the exploit was a faulty price oracle.
Additionally, the blockchain security company BlockSec highlighted that the hack was done through a reentrancy attack, which is a common method hackers use to withdraw funds from DeFi protocols.
1/ @SturdyFinance was attacked and the loss is ~442 ETH. The root cause is due to the typical Balancer’s read-only reentrancy, while the price of B-stETH-STABLE was manipulated! pic.twitter.com/5l9mVfhpQN
— BlockSec (@BlockSecTeam) June 12, 2023
Through the method, hackers exploit the ability to repeatedly call a function in a single transaction before the initial function call is complete. With this, hackers can withdraw more funds than should be possible.
Related: Atomic Wallet hacker sends crypto to mixer used by Lazarus Group: Elliptic
Meanwhile, scammers were able to take control of eight Twitter accounts of prominent crypto community members and promote crypto scams. According to blockchain detective ZachXBT, the scammers have stolen almost $1 million in crypto after taking control of the accounts of famous DJ Steve Aoki, Pudgy Penguins founder Cole Villemain, and even crypto hater Peter Schiff.
In other news, the United States Justice Department has recently charged two men who are allegedly involved in the Mt. Gox hack. According to the department, 43-year-old Alexey Bilyuchenko and 29-year-old Aleksandr Verner allegedly stole and conspired to launder 647,000 Bitcoin (BTC).
Magazine: $3.4B of Bitcoin in a popcorn tin — The Silk Road hacker’s story