Sturdy Finance, a decentralized finance (DeFi) protocol, has fallen victim to a security exploit resulting in the loss of approximately 442 Ethereum (ETH), valued at nearly $800,000 at the time of the incident. The attack was carried out through a manipulation of a faulty price oracle, which allowed the attacker to drain funds from the protocol.
The exploit came to light when blockchain security firm PeckShield alerted Sturdy Finance on June 12, flagging a suspicious transaction related to price manipulation. Shortly after, the DeFi protocol responded by halting all its markets and assuring users that no additional funds were at risk.
However, despite the swift response, PeckShield confirmed that the attacker managed to transfer the equivalent of almost $800,000 in ETH to the crypto mixer Tornado Cash. The security firm attributed the root cause of the exploit to the flawed price oracle.
According to BlockSec, another blockchain security company, the attack employed a reentrancy technique commonly used by hackers to withdraw funds from DeFi protocols. This method allows hackers to repeatedly call a function within a single transaction before the initial function call is complete, enabling them to withdraw more funds than should be possible.
As per security firm TRM Labs’ data, incidents of crypto hacks dropped 70% in Q12023 as against the same period in 2023. However, lending protocol Euler Finance suffered a flash loan attack that caused a net loss of over $196 million, the biggest DeFi hack in 2023 so far. In a surprising turn of events, the exploiters returned most of the looted ETH.