Here is the news in video:
Yet another DeFi protocol falls victim to a scam after a hacker moves 442 ETH to crypto mixer Tornado Cash shortly after exploiting a reentrancy flaw in the Sturdy Finance protocol. PeckShield uncovered the issue earlier today, suggesting it’s related to the protocol’s price manipulation.
Responding to the alert, Sturdy Finance confirmed it’s aware of the attack and has paused all markets to avoid putting additional funds at risk. The company also claims to be taking action to solve the problem while promising to provide updates as soon as they’re available.
A June 12 release by the platform said,
“We are aware of the reported exploit of the Sturdy protocol. All markets have been paused; no additional funds are at risk and no user actions are required at this time. We will be sharing more information as soon as we have it.”
How the hacker penetrated Sturdy Finance’s security
Soon after PeckShield raised the alarm about the hack, blockchain security firm BlockSec launched an investigation, uncovering more information about the ill-fated attack. According to BlockSec’s analysis, the hacker seemed to manipulate a reentrancy flaw to steal more funds than possible from the protocol.
A reentrancy attack allows a bad actor to execute a function multiple times before completing the initial one. Since the function doesn’t have time to update its state before running the new function, it can keep recursively transferring funds until it drains all the funds in the liquidity pool.
The Sturdy Finance hacker used the reentrancy vulnerability to permit themselves to withdraw more funds than should be possible, eventually carting away no less than 442 ETH tokens from the protocol’s liquidity pool.
Sturdy Finance’s swift response not enough to save funds
Despite the protocol’s swift response to the attack, Sturdy Finance couldn’t stop the hacker from stealing $800,000 worth of ETH in the exploit. With the funds going directly into a crypto-mixing service, the chances of recovery are quite slim.
While there are still too many DeFi hacks out there, the number has decreased massively from last year’s occurrences. Also, hoping to recover funds from hackers is no longer a pipe dream, as they tend to return some of the funds they steal to the rightful owners these days.