Attacker rips $800K from DeFi protocol Sturdy Finance

By: Henry Felix

Attacker rips $800K from DeFi protocol Sturdy Finance

June 12, 2023 12:56 PM

All markets were paused and the lending platform assured its community that no more funds were at risk.


Sturdy Finance, a decentralized finance (DeFi) protocol, has lost 442 Ether ETH, which is worth about $800,000 at the time of writing, due to a security flaw. The attacker took use of a weakness to manipulate a flawed price oracle, allowing them to drain cash from the protocol. 


PeckShield, a blockchain security startup, alerted→ Sturdy Finance on June 12 and reported a transaction that appeared to be tied to price manipulation. Almost an hour later, the DeFi protocol acknowledged knowledge of the attack and responded by halting all markets and assuring customers that no additional monies were at risk.

 


Despite the DeFi loan platform's quick response, PeckShield revealed→ that the attacker was able to move about $800,000 in ETH to the crypto mixer Tornado Cash. The "root cause" of the exploit, according to the security firm, was a flawed price oracle.

 

Furthermore, the blockchain security firm BlockSec stated that the hack was carried out via a reentrancy attack, which is a popular method used by hackers to take funds from DeFi protocols.

 


Hackers use the technique to take advantage of the fact that it is possible to make several calls to a function within the same transaction. Hackers can withdraw more dollars than should be possible with this method. 

 

Meanwhile, fraudsters exploited eight Twitter accounts belonging to well-known members of the cryptocurrency community to spread fake cryptocurrency investment opportunities. After gaining access to the accounts of well-known people including DJ Steve Aoki, Pudgy Penguins' entrepreneur Cole Villemain, and crypto critic Peter Schiff, scammers allegedly stole about $1 million in cryptocurrency, as reported by blockchain detective ZachXBT.


In other news, the US Justice Department has just charged→ two men in connection with the Mt. Gox breach. According to the department, Alexey Bilyuchenko, 43, and Aleksandr Verner, 29, allegedly stole and plotted to launder 647,000 Bitcoin BTC.