Hacker Exploits Sturdy Finance, Drains $800,000 From The Lending Protocol

hacker

Pixabay

DeFi lending protocol, Sturdy Finance has lost nearly $800,000 in ETH to an attack. The protocol confirmed the incident in a June 12 tweet after receiving an alert from blockchain security firm, PeckShield. According to the report, the hacker exploited a vulnerability in Sturdy Finance’s price oracle, gaining access to drain funds from the protocol’s liquidity pool. 

The DeFi protocol said it had suspended all market transactions while taking further actions to analyze the situation.

Hacker Moves 442 ETH Stolen From Sturdy Finance To Tornado Cash

According to security firm BlockSec, Sturdy Finance’s hacker leveraged read-only reentrancy on the protocol’s price Balancer to manipulate the BstETH-STABLE price. As a result, the hacker carted away 442 ETH worth approximately $800,000 at the time of writing. 

Related Reading: Venture Firm Andreessen Horowitz To Open 1st UK Office Amid Crypto Scrutiny In US

PeckShield was the first to alert the protocol about the price manipulation-related transaction on its platform on June 12. In response, Sturdy Finance suspended its markets, assuring users of the safety of the remaining funds. The protocol also said users need not take any actions, adding that it will share more updates regarding the issue soon.

Regardless of the swift response from Sturdy Finance, PeckShield confirmed the attacker moved nearly all ETH through the currency mixer Tornado Cash. According to the security firm, the hackers have already transferred 442 ETH to Tornado Cash.

Ethereum’s price currently hovers at $1,742 in the daily chart. | Source: ETHUSD price chart from TradingView.com

Other Crypto Scams And Hack Exploitations

Over the past few months, several DeFi protocols have lost millions of dollars in digital assets to exploits. The price manipulation method used by the Sturdy Finance hackers is prevalent among DeFi hack exploitations as hackers have repeatedly employed similar methods to drain funds from decentralized finance protocols in the past months.

Through price oracle exploitations, hackers can use a single transaction to call a function multiple times before the initial call is complete. The strategy enables them to withdraw more funds than is possible with a single transaction.

These are not the only ways hackers have stolen funds from crypto users though. According to a recent report, scammers hijacked Twitter accounts belonging to prominent crypto community members, using them to promote scam projects. 

On-chain sleuth ZachXBT reported that scammers stole nearly $1 million in crypto assets after hijacking a Twitter account belonging to influential DJ Steve Aoki, Pudgy Penguins founder Cole Villemain, and Peter Schiff.

Also, prominent pro-XRP lawyer and founder of CryptoLaw, John E. Deaton, reported that scammers hijacked his account. The hackers used Deaton’s account to promote a scam token dubbed $LAW. 

Related Reading: Bitcoin Diamond Hands Unfazed By Recent FUD As Exchange Inflows Remain Very Low

In another development, the US Department of Justice charged two Russian nationals allegedly involved in the 2014 Mt. Gox hack exploitation. 

The Mt. Gox exploitation, which resulted in the loss of thousands of Bitcoins, remains one the largest single hack in the history of crypto. According to the DOJ, Alex Bilyuchenko, aged 43, and Aleksandr Verner, aged 29, conspired to steal and launder 647,000 BTC from Mt. Gox.

Featured image from Pixabay and chart from TradingView.com
Exit mobile version