Sturdy Finance, a decentralized lending platform seeking to provide users with interest-free borrowing and high-yield lending, has just suffered an exploit that resulted in a loss of nearly 442 Ethereum (ETH) worth $800,000.
The decentralized finance (DeFi) sector continues to remain one of the major targets for bad actors in the cryptocurrency market. The DeFi space has witnessed a fair share of hacks since the beginning of this year.
Data from Naoris Protocol, a global cyber security firm, revealed there was a rise in the number of reported cyber security hacks on Web3 and DeFi in Q1 2023 compared to the same period in 2022 and 2021. This is up from 16 reported hacks in Q1 2022 and 10 reported hacks in Q1 2021. Monica Oravcova, co-founder & COO at Naoris Protocol said,
“Our analysis shows an alarming increase in the number of hacks. This is a disturbing trend, it’s. It’s important to use a new set of tools and technology, specifically, Distributed CyberSecurity Mesh Architecture, to protect the decentralized ecosystem.”
Another DeFi Attack
We are aware of the reported exploit of the Sturdy protocol. All markets have been paused; no additional funds are at risk and no user actions are required at this time.
We will be sharing more information as soon as we have it.
— Sturdy 🧱 (@SturdyFinance) June 12, 2023
In the latest string of attacks, Sturdy Finance was hacked, resulting in a loss of approximately $800K. As per blockchain security firm Peckshield, the hacker exploited a vulnerability that eventually manipulated a faulty price oracle, allowing them to drain funds from the protocol.
However, on further investigation, Peckshield highlighted the root cause of the exploit was primarily due to the defective price oracle to compute the cB-stETH-STABLE asset price. Almost an hour later, Sturdy Finance took to Twitter to confirm the attack.
The loss of today's @SturdyFinance hack is ~442 ETH (w/ ~$800K).
The root cause is due to the faulty price oracle to compute the cB-stETH-STABLE asset price @SturdyFinance https://t.co/M4l0GjJfFm pic.twitter.com/b8zK0q9H80
— PeckShield Inc. (@peckshield) June 12, 2023
As the news broke out, Sturdy Finance paused all its markets, assuring its users that no additional funds were at risk. Meanwhile, smart contract auditor BlockSec noted that in addition to the oracle price manipulation reported by Peckshield, the recent exploit also showed signs of a “typical Balancer’s read-only reentrancy” attack.
For the unversed, a reentrancy attack is a type of smart contract vulnerability where an exploiter contract leverages the loophole of the victim contract to continuously withdraw funds from it until the victim contract gets drained of a significant amount.
Furthermore, Web3 knowledge graph protocol 0xScope validated the exploit, adding that the hacker transferred the stolen funds to the infamous sanctioned crypto-mixing protocol – Tornado Cash, and the Change Now exchange.
1/ @SturdyFinance was attacked and the loss is ~442 ETH. The root cause is due to the typical Balancer's read-only reentrancy, while the price of B-stETH-STABLE was manipulated! pic.twitter.com/5l9mVfhpQN
— BlockSec (@BlockSecTeam) June 12, 2023
Exploits on Decentralized Protocols Surge
It seems attacks on the decentralized sector are growing more intense with each passing day. Over the past three years, there has been an accelerated occurrence of high-profile crypto theft incidents especially in the DeFi sub-sector. Flash loans, exit scams, cross-bridge exploits, reentrancy attacks, and rug pulls among numerous others are some of the most common methods of attack in the DeFi space.
Such attacks continue to dent investor confidence in the digital assets industry which is already going through a whirlwind phase coupled with macroeconomic uncertainty and the barrage of attacks from regulators all around the world,
ICYMI: The SEC is suing Binance and its CEO Changpeng Zhao for breaking US securities rules.
Here's what to know https://t.co/MXn1vODyw0
— Bloomberg Crypto (@crypto) June 5, 2023
The situation is particularly grim in the US with regulatory agencies like the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) heavily cracking down on crypto-focused companies as well as targeting digital tokens such as Solana (SOL), Cardano (ADA) and Polygon (MATIC) among others. Recently, the SEC waged another war on crypto targeting two prominent companies in the digital assets industry – Binance and Coinbase.
Last month, Crypto-Economy reported that due to increased criminal crypto activity over the years, the United States Department of Justice’s (DOJ) crypto team has started hunting for DeFi hackers. In a detailed statement, the DOJ noted the National Cryptocurrency Enforcement Team would serve as a focal point regarding the tackling of cryptocurrencies, cybercrime, money laundering, and other illegal activities regarding digital assets.