- The hacker used to “pump out” the means of manipulating the oracle
- He has already started to output stolen through the Tornado Cash mixer
- Sturdy Finance suspends all markets pending clarification
Early this morning, June 12, PeckShield analysts reported suspicious activity in the Sturdy Finance lending protocol pool. Later, the administration confirmed the hack. The hacker has already withdrawn 442.6 ETH ($769 thousand) through the Tornado Cash mixer.
“The problem seems to be related to price manipulation” – says in notice Peck Shield.
An hour later, the administration of Sturdy Finance confirmed hack fact:
“We are aware of the discovered vulnerability. All markets on the platform are suspended. Now there is no risk of losing additional funds, and no action is required on the part of users. We will provide all the details later.”
The probable damage is $769 thousand or 442.6 ETH. According to PeckShield, the hacker has already begun to output the stolen items through the Tornado Cash mixer. The address of the likely hacker can be viewed here.
Apparently the hacker exploited a “reentry vulnerability”. Then he manipulated the price oracle, after which he began to “pump out” funds.
The most notorious similar case last year was the Mango Markets hack. There, too, manipulations with the oracle were used. But the most interesting thing is that the hacker responsible for what happened denied the fact that he committed the crime.
In his opinion, his actions do not go beyond the “regular” use of the oracle. Well, the losses of affiliates and ordinary users are market conventions.