If DeFi Security is 2023 Chief Challenge, How Can Flash Loans Exist?

1 min read

INTRODUCTION:

You would expect the security chiefs would hit the low-hanging fruit fast to allay potential investors’ worries given the security issues that have dogged the DeFi community for the past few years. In the piece that follows, journalist Damilola Lawrence discusses the recent Sturdy Finance scandal and how several blockchain security companies discovered the flaw. It seems like there might be some simple answers.

__________________________________________________________

  • Sturdy Finance, a DeFi protocol, loses $800,000 in an exploit due to a faulty price oracle.
  • Security firms investigated the attack, which involved transferring funds to Tornado Cash and Change Now

Sturdy Finance, a decentralized finance (DeFi) protocol, has suffered an exploit resulting in the loss of 442 Ether (ETH), equivalent to nearly $800,000. The attack targeted a faulty price oracle, allowing the hacker to drain funds from the protocol. Sturdy Finance has temporarily paused its markets and assured users that no additional funds are at risk. The incident is currently under investigation, and further details are expected to be revealed.

Insights from blockchain security firms

Blockchain security firms, including Peckshield, 0xScope, and BlockSec, shed light on the attacker’s exploit and techniques. Peckshield initially identified the vulnerability related to a defective price oracle used to compute the asset price. Subsequently, the hacker transferred the stolen funds to Tornado Cash, a crypto-mixing protocol, and the Change Now exchange.

Further analysis by 0xScope confirmed the role of the faulty price oracle in the exploit. Meanwhile, BlockSec highlighted that the attack exhibited signs of a “typical Balancer’s read-only reentrancy” attack. The attacker borrowed over 100,000 staked Ethereum from Aave through a flash loan and then exploited a liquidity pool managed by Sturdy Finance’s team on the Balancer.

In other recent news, scammers gained control over eight Twitter accounts belonging to prominent crypto community members, including DJ Steve Aoki and Pudgy Penguins founder Cole Villemain, to promote crypto scams. These malicious actors reportedly managed to steal nearly $1 million in cryptocurrencies. Meanwhile, the United States Justice Department has charged Alexey Bilyuchenko and Aleksandr Verner in connection with the infamous Mt. Gox hack. The duo is accused of stealing and conspiring to launder 647,000 Bitcoin.

Via this site