The DeFi platform team is trying to communicate with the attackers as the stolen ETH is being transferred through Tornado Cash.
DeFi lending protocol Sturdy Finance was hit with an exploit that drained 442 ETH (worth around $768,800) from the platform.
The vulnerability has been highlighted by blockchain security companies such as PeckShield and BlockSec; The Sturdy Finance team has acknowledged the hack and paused activity on the DeFi platform while they investigate the issue.
The protocol makes it possible to borrow against Liquidity Provider (LP) tokens from exchanges such as Curve and Balancer as collateral. The decentralized application offers two lending markets – Ethereum and dollar-pegged stablecoins.
Sturdy Finance core team member pgpsam noted in the project’s Discord channel that “from our investigation so far, the stablecoin market has not been affected.”
However, while the activity remains paused, stablecoin and ETH users cannot withdraw from Sturdy pools.
“Our priority now is to understand the exploit / how to mitigate it and communicate with the hacker,” Bagbsam added.
How did the exploitation happen?
Initial reports indicate that the attacker manipulated the price oracle for the collateral group and expropriated the funds from Sturdy.
The BlockSec team reported a post-mortem report of the attack on Twitter this morning, noting that it was a “typical read-only return balancer” attack.
A re-entry attack occurs when a smart contract function interacts with another contract, and that other contract rolls back to the first contract before it finishes executing.
In this case, the attacker repeatedly called the B-stETH-STABLE pool before executing the previous transaction, causing the oracle to crash the price of the pool and reverse a threefold increase.
The attacker used B-stETH-STABLE as collateral to borrow from Sturdy. With its price rising, the striker pulled collateral from the Sturdy pool. At this point, the actual value of their collateral is one-third of its inflated value, allowing the hacker to cash in on the difference.
The attacker took a quick loan from Aave of 50,000 wstETH and 60,000 WETH (worth about $191 million) to carry out the attack.
PeckShield reported that the exploiters moved the stolen funds via Tornado Cash, an Ethereum mixer that adds a layer of privacy in transactions by blocking the link between sender and recipient addresses.
Tornado Cash was sanctioned by the US government last year due to its use by the North Korean hacking group Lazarus.