Sturdy Stablecoin Market Resumes Operations After a Major Exploit

Sturdy Finance is a protocol that allows users to borrow and lend crypto assets using liquidity provider (LP) tokens as collateral. The protocol offers two markets: one for Ethereum and one for stablecoins. However, on June 12, 2023, the protocol suffered a major exploit that resulted in the loss of 442 Ether (ETH), worth around $800,000 at the time.

The exploit was carried out by an attacker who took advantage of a faulty price oracle in the B-stETH-STABLE pool, which is a Balancer pool that contains stETH and stablecoins. stETH is a tokenized version of ETH that accrues interest from staking on Ethereum 2.0. The attacker used a flash loan from Aave, a lending platform, to borrow 50,000 wstETH and 60,000 WETH (wrapped ETH) and deposited them into the B-stETH-STABLE pool.

The Attacker Took Advantage of a Weakness in the Exchange’s Systems

The attacker then repeatedly called the swap function of the pool, which triggered a re-entrancy attack. A re-entrancy attack is a type of exploit where a malicious contract calls back to another contract before the first contract finishes its execution, causing unexpected changes in the state of the contract. In this case, the attacker manipulated the price oracle of the pool to inflate the value of stETH by three times.

The attacker then withdrew their collateral from Sturdy Finance, which was based on the inflated price of stETH. As a result, the attacker was able to withdraw more ETH than they deposited, leaving Sturdy Finance with a deficit of 442 ETH. The attacker then moved the stolen funds through Tornado Cash, a privacy-preserving mixer that obscures the link between sender and receiver addresses.

The Sturdy Finance team responded to the exploit by pausing all markets on the protocol and launching an investigation. The team also offered a $100,000 bounty to the hacker who performed the exploit or anyone who can help recover the funds or bring an arrest. The team stated that it will not pursue any legal action if the hacker returns the funds voluntarily.

The stablecoin market is now unpaused, enabling users in this market to access their funds!

No funds in this market were ever at risk; the market was only paused out of an abundance of caution. As an additional safety measure, the bb-a-USD pool has been disabled 🛡 pic.twitter.com/uRL0gKQSEJ

— Sturdy 🧱 (@SturdyFinance) June 16, 2023

Sturdy Finance, a stablecoin market, resumed its operations on June 16, 2023. Users can now withdraw and deposit their funds. The team assured users that no funds in this market were ever at risk and that the decision to pause the market was done out of an abundance of caution. The team also disabled the bb-a-USD pool, which is another Balancer pool that contains bUSD and USDC.