Project name: Sturdy Finance
Project type: Lending
Date of exploit: Jan 12, 2023
Asset loss: 442 ETH
Vulnerability: Price manipulation (read-only reentrancy)
Date of audit conducted: Jan 25, 2022
Conclusion: Out of audit scope
Sturdy Finance, a DeFi lending protocol, enables users to deposit collateral and borrow tokens based on their collateral value, which is determined by external price Oracles to acquire price for the collateral. In the recent exploit, the Balancer protocol functioned as this external price Oracle.
On Jan 12, 2023, the lending platform Sturdy Finance was attacked, leading to a loss of 442 ETH. The attacker made use of a read-only reentrancy vector to manipulate the price used in a lending protocol to drain funds. The vulnerability lies in the dependency on the Balancer protocol, which was used to price Oracles in Sturdy's contracts and has been widely recognized by the community. The dependency on the Balancer protocol is not in CertiK's audit scope.
Rekt.new Analysis: https://rekt.news/sturdy-rekt/
Additional Resources: Reentrancy Vulnerability Scope Expanded