Another reentry – The Sturdy Finance protocol hosted on Ethereum has just suffered from a reentrancy-type attack. A total of 442 ETH were stolen by the hacker.
Flaw on Sturdy Finance: 442 ETH flown away
Founded in 2022, SturdyFinance offers an interest-free lending and borrowing platform on Ethereum. Since its launch, it has seen its TVL oscillate between 10 and 20 million dollars.
However, a storm hit the protocol. Indeed, on June 12 in the early morning, a hacker exploited a so-called “reentrancy” vulnerability. This allowed him to manipulate the price of a faulty oracle to ultimately siphon off funds deposited in the pools.
In total, 442 ETH or $800,000 were siphoned off in the different Ethereum pools of the protocol.
In practice, the attack started with a reentrancy flaw. This allows the attacker to call a function multiple times in a single transaction before the original function call is complete. Therefore, the attacker can access funds several times, before the protocol updates the new balance after withdrawal.
This vulnerability allowed him to manipulate the price provided by the oracle and withdraw far more than was normally allowed.
Sturdy Finance reaction
Quickly, the teams of Sturdy Finance declared on Twitter to be aware of the attack. The latter directly suspended all its markets to prevent further potential losses.
“We have suspended all markets; no additional funds are at risk, and no user action is required at this stage. »
Obviously, for his part, the hacker is protected. Indeed, the address used to carry out the attack was funded by a transaction from the Tornado Cash mixer.
Subsequently, within a minute of his attack, all funds have been moved to another address, again via Tornado Cash.
>> Prefer to keep your cryptos safe? Choose a Ledger wallet (commercial link) <<
Reentry? Again ?
As we have just seen, the protocol could be hacked thanks to the presence of a reentrancy rift. Yet, this is one of the most notorious flaws in the Ethereum ecosystem for causing the hack of The DAO.
Thus, according to researchers from the company BlockSec, this is a “Typical reentrancy flaw on Balancer read-only pool”.
We will note the presence of the adjective ” typicalwhich sends shivers down the spine when referring to a flaw in a protocol. In practice, this flaw was exposed in 2022, with a reaction in February from Balancer.
Unfortunately, Sturdy Finance had not made the necessary changes when part of their code depends on these Balancer features.
Yet unlike many hacked protocols, Sturdy has been audited several times. Three in total, in February and June 2022 by Certik and Code4rena then on February 15, 2023 by QuantStamp, a week after the publication of the flaw in Balancer on the governance forum.
Recently, it was the Atomic Wallet that found itself in the spotlight. Effectively, aflaw in its code resulted in the siphoning of $35 million.
Need a secure wallet to explore the multiple applications of DeFi? the best solution is still a personal hardware wallet. At Ledger, there is something for all profiles and all cryptos. Do not wait to put your capital in safety (commercial link)!