Back to all stories
Incident Analysis
Oracle Dependency: Decrypting the Sturdy Finance Attack
Oracle Dependency: Decrypting the Sturdy Finance Attack

Project name: Sturdy Finance

Project type: Lending

Date of exploit: Jan 12, 2023

Asset loss: 442 ETH

Vulnerability: Price manipulation (read-only reentrancy)

Date of audit conducted: Jan 25, 2022

Conclusion: Out of audit scope

Details of the Exploit

Project Background

Sturdy Finance, a DeFi lending protocol, enables users to deposit collateral and borrow tokens based on their collateral value, which is determined by external price Oracles to acquire price for the collateral. In the recent exploit, the Balancer protocol functioned as this external price Oracle.

Nature of the Vulnerability

  • The attacker's collateral value is incorrectly calculated by a manipulated asset price, so the attacker can borrow more than its collateral to drain the vault.
  • The collateral price is provided by a Balancer protocol, which has a read-only reentrancy issue in its implementation.
  • The attacker manipulated the collateral price from the Balancer protocol by triggering external calls to update its collateral in Sturdy's lending protocol in the process of withdrawing tokens from the Balancer protocol.

CertiK Audit Overview

Sturdy Finance table


On Jan 12, 2023, the lending platform Sturdy Finance was attacked, leading to a loss of 442 ETH. The attacker made use of a read-only reentrancy vector to manipulate the price used in a lending protocol to drain funds. The vulnerability lies in the dependency on the Balancer protocol, which was used to price Oracles in Sturdy's contracts and has been widely recognized by the community. The dependency on the Balancer protocol is not in CertiK's audit scope.

References Analysis:

Additional Resources: Reentrancy Vulnerability Scope Expanded