Cyber Incident Victim: Sturdy Finance

On June 12, 2023, at 1:06 AM UTC, an attacker exploited a vulnerability within the decentralized finance platform Sturdy Finance. The target of the attack was the protocol's ETH market. Through this exploitation, the attacker successfully stole 442 ETH from the platform. The total loss incurred by the protocol was calculated to be 504 ETH. This amount represented a significant portion of the total ETH lending pool, which held 2,109 ETH at the time of the incident. No other assets or pools on the Sturdy Finance platform were impacted by this security breach. The specific root cause of the exploit was identified by the Sturdy Finance team, though the technical details were not publicly disclosed in the immediate aftermath and were slated for a future, more detailed article.

Immediately following the detection of the attack, contributors to the Sturdy Finance protocol took swift action to pause the entire system. This emergency measure was implemented to prevent any further unauthorized withdrawals or potential secondary exploitations. The quick actions of an individual referred to as 'dudesahn' were credited with saving an additional $150,000 that was determined to be at risk at the time of the incident. As an additional precautionary step, the stablecoin market was also paused, even though an initial assessment confirmed that no funds within that market were ever at risk of being stolen.

The exploitation method was identified as leveraging a vulnerability in Sturdy Finance's code. This vulnerability allowed the unknown attacker to manipulate the price of a cryptocurrency on the platform. By artificially inflating the value, the attacker was then able to siphon off coins at this manipulated, higher price, resulting in the financial loss. The attack was isolated to this specific technical flaw and did not involve a compromise of user wallets or external accounts.

In response to the theft, Sturdy Finance's 23-year-old founder, Sam Forman, publicly addressed the attacker via a tweet on June 13. The communication offered a bounty of $100,000 and a promise of no legal consequences if the stolen funds, valued at approximately $800,000, were returned to a specified Ethereum address (0x4e489d9863c9bAAc6C4917E1221274760BA889F5). This offer was later characterized in the platform's official Medium post as a strong advisement for the attacker to return the funds and move on. The public bounty offer was subsequently updated in the official community communication. The company stated that if the funds were not returned voluntarily, a reward of $100,000 would be made available to anyone who provided information that led to an arrest and the recovery of the stolen funds.

Beyond the public negotiation attempt, the Sturdy Finance team engaged in a coordinated effort with what they described as a team of world-class security experts. These experts specialized in on-chain analysis and off-chain operational security. This group had a history of success in recovering funds from other high-profile cryptocurrency incidents. Sturdy Finance also reported that they were working with global law enforcement agencies. This collaboration was said to have yielded a significant amount of information regarding the incident and the responsible party.

The process of restoring user access to their funds began with a plan to first unpause the stablecoin market. This action was anticipated to occur within 48 hours of the June 12 update. However, due to an abundance of caution, certain functionalities were to remain restricted even after the unpausing. Specifically, deposits to a supported Balancer pool (bb-a-USD) were to be disabled, and additional oracle checks were to be implemented as a new security measure before the market was brought back online. The timeline for reinstating the exploited ETH market was less certain. The protocol stated there was no fixed date for its unpausing, and it would only be reactivated once the team was confident the vulnerability had been completely mitigated and the financial hole created by the theft had been filled. The method for repaying users their lost funds was stated to be dependent on several factors, including the potential recovery of the stolen assets and insurance arrangements. Despite these variables, the protocol was committed to making all affected users whole, guaranteeing 100% repayment of their losses as quickly as possible.

The financial impact of the incident was quantified as a direct loss of 504 ETH from the protocol's treasury, with 442 ETH confirmed to have been stolen by the attacker. The incident caused a temporary but complete operational halt to the Sturdy Finance platform, disrupting all lending and borrowing activities. The immediate consequence was that users were temporarily unable to access or manage their funds deposited within the protocol. The longer-term consequence involved a reputational damage event for the nascent DeFi platform, necessitating a public campaign to reassure its community and demonstrate a commitment to security and user repayment. The event was part of a broader series of cryptocurrency hacks that occurred during the same week, including major incidents affecting Atomic Wallet, Floating Point Group, and Hashflow, collectively representing millions of dollars in losses across the ecosystem.