defirisk.co
rubric v1.7.0

Sturdy Finance: Read-only reentrancy on Balancer LP (B-stETH-STABLE) → manipulated collateral price → undercollateralized borrow drain

Sturdy Finance lost $800K to a read-only reentrancy attack on Balancer LP pricing — a well-documented vulnerability that had been publicly flagged for the exact pools used in the attack four months before the hack.

Occurred 2023-06-12 Loss $800K Status closed

Summary #

Sturdy Finance suffered a Lending / Money Market (leveraged yield on staked collateral) on 2023-06-12, resulting in a loss of approximately $800K.

What happened #

Sturdy Finance lost $800K to a read-only reentrancy attack on Balancer LP pricing — a well-documented vulnerability that had been publicly flagged for the exact pools used in the attack four months before the hack.

Linked factors #

  • RD-F-001 — causal : ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: N — the vulnerable LendingPool contract version was outside all three audit scopes] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: N — the vulnerable LendingPool contract version was outside all three audit scopes] || ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
  • RD-F-008 — related : Ignored bug bounty disclosure — adjacent [via cross-hack: Factor 3: Ignored / Dismissed Security Disclosure]
  • RD-F-050 — causal : Dependency graph [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
  • RD-F-052 — related : Breakage analysis [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
  • RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: Y — SturdyOracle returned an inflated collateral price during the Balancer callback window; detectable as a price divergence from the true B...]
  • RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Unknown]
  • RD-F-177 — causal : Cat 13: Prior known-ignored disclosure [via cross-hack: Factor 3: Ignored / Dismissed Security Disclosure]