Skip to content

DeFi Lending Protocol Sturdy Finance Hacked Using Vulnerability in Another DeFi Project, Balancer

Another DeFi lending protocol has become the victim of hackers as Sturdy Finance lost more than $760,000 worth of users' assets. Is something broken in DeFi lending?

hacker, BlockSec's screenshot of code, Sturdy Finance l

The Sturdy Finance DeFi lending platform was hacked on Monday. The attacker stole about 442 ETH (over $760,000 at the time of writing) by manipulating the protocol's collateralization logic. BlockSec, a smart contracts audit firm, was the first to report the hack.

Sturdy Finance allows borrowing against collateral that is already staked and earning interest, thus leveraging the 'yield farming' on staking platforms such as Yearn, Convex, and Lido. The project was funded in 2021, and in 2022 it raised $3.9 million from a group of leading industry VCs led by Pantera Capital. The total value locked by Sturdy Finance at the time of writing was above $20 million.

As commonly happens with DeFi hacks, the attackers used flash loans to execute their plans. They took flash loans of 50,000 wstETH and 60,000 WETH (worth in aggregate around $187 million) on the Aave platform.

The flash loan funds were used to exploit an already known vulnerability in Balancer pool, and manipulate the price of Balancer's B-stETH-STABLE ethereum referencing token.

Then, using B-stETH-STABLE as collateral, the hackers performed a series of borrowings and liquidations on Sturdy Finance. Since they had control over the collateral pricing, all these transactions resulted in losses for the protocol, draining its collateral pools.

BlockSec reported the attacker's steps in detail:

Detailed plan of the attack by BlockSec.
Detailed steps of the attack by BlockSec. Source: Twitter

Following the attack, hackers transferred the stolen funds to the Tornado Cash crypto mixer.

Sturdy Finance paused all its markets and announced that the remaining funds were cleared of further risks. In a detailed community update the Sturdy Finance team mentioned that they had paused all pools that supported Balancer stablecoins as collateral 'out of an abundance of caution' and additional oracle checks would be implemented prior to unpausing the market.

Later, Sturdy Finance offered the hacker a deal, via an on-chain message, asking to return the stolen funds in exchange of $100,000 bounty. Sturdy Finance's founder, Sam Forman, publicly confirmed the offer.

“To the exploiter: as we have seen with recent hacks, exploits are not as easy to escape from as they used to be. That said, we are willing to offer you $100k as a bounty, and will not pursue you further if you send the remaining funds to 0x4e489d9863c9bAAc6C4917E1221274760BA889F5.”

However, the hacker has not responded so far.

Decentralized lending protocols are a common target for attacks. In 2023 alone we Observed similar hacks on the Hundred Finance and Euler Finance protocols. Hackers exploit flaws in the financial logic or the code of the underlying smart contracts to 'borrow' funds without providing collateral. Even seemingly insignificant loopholes are magnified with the use of flash loans.

Moreover, as we saw in Sturdy Finance's case, the flaws in the design of one DeFi protocol can open doors to the vaults of another, unrelated, protocol.

Nevertheless, it is too early to judge the prospects of the multi-billion dollar DeFi lending industry. Analysts project it to reach $200 billion by 2030, although this is still small compared to the $8 trillion held in traditional lending markets.