Attacker drains $800K from DeFi protocol Sturdy Finance

cointelegraph.com:

Decentralized finance (DeFi) protocol Sturdy Finance has lost 442 Ether (ETH), worth almost $800,000 when writing, to a security exploit. The attacker exploited a vulnerability that eventually manipulated a faulty price oracle, allowing them to drain funds from the protocol. 

On June 12, blockchain security firm PeckShield alerted Sturdy Finance and reported a transaction that seemed to be related to price manipulation. Almost an hour later, the DeFi protocol said that they were aware of the exploit and responded by pausing all their markets and assuring its users that no additional funds were at risk.

We are aware of the reported exploit of the Sturdy protocol. All markets have been paused; no additional funds are at risk and no user actions are required at this time.We will be sharing more information as soon as we have it.

Despite a swift response from the DeFi lending platform, PeckShield confirmed that the attacker was able to transfer almost $800,000 in ETH to the crypto mixer Tornado Cash. The security firm also noted that the “root cause” of the exploit was a faulty price oracle.

Additionally, the blockchain security company BlockSec highlighted that the hack was done through a reentrancy attack, which is a common method hackers use to withdraw funds from DeFi protocols.

1/ @SturdyFinance was attacked and the loss is ~442 ETH. The root cause is due to the typical Balancer's read-only reentrancy, while the price of B-stETH-STABLE was manipulated! pic.twitter.com/5l9mVfhpQN

Through the method, hackers exploit the ability to repeatedly call a function in a single transaction before the initial function call is complete. With this, hackers can withdraw more funds than should be possible. 

Related: Atomic Wallet