Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 142Reentrancy

Sturdy Finance Read-Only Reentrancy

$800K drained from Sturdy Finance via a Balancer read-only reentrancy that mispriced B-stETH-STABLE LP collateral. Funds returned after negotiation.

Date
Victim
Sturdy Finance
Chain(s)
Ethereum
Status
Recovered

On June 12, 2023, the lending protocol Sturdy Finance lost approximately $800,000 through a Balancer read-only reentrancy that mispriced its B-stETH-STABLE LP-token collateral. The attacker borrowed against an inflated collateral valuation. After negotiation — including a $100K bounty offer — the funds were ultimately returned.

What happened

Sturdy Finance was a lending protocol that accepted yield-bearing LP tokens as collateral, including Balancer's B-stETH-STABLE pool token. Sturdy priced this collateral using the Balancer pool's reported rate.

The exploit used the read-only reentrancy pattern — the same structural bug as dForce, EraLend, and Balancer's own August 2023 incident:

  1. The attacker initiated a Balancer pool operation (liquidity action) that triggered a callback.
  2. During the callback — while the Balancer pool's reported BPT price was temporarily incorrect (mid-mutation) — the attacker interacted with Sturdy's lending market.
  3. Sturdy's collateral-pricing logic read the manipulated mid-mutation BPT price, valuing the attacker's B-stETH-STABLE collateral far above its true worth.
  4. The attacker borrowed out Sturdy's available reserves against the inflated collateral.
  5. Total extracted: approximately $800K.

Aftermath

  • Sturdy paused all markets to prevent further losses.
  • The team offered the attacker a $100,000 bounty for the return of the remaining funds.
  • After negotiation, the attacker returned the funds, classifying the incident as a (paid) white-hat resolution.
  • Sturdy redesigned its collateral-pricing to use reentrancy-safe oracle reads and later relaunched a re-architected v2.

Why it matters

Sturdy Finance is one of four 2023 read-only-reentrancy incidents — alongside dForce (Feb), EraLend (Jul), and Balancer (Aug) — that together make 2023 the year the read-only-reentrancy pattern reached the broad DeFi awareness it should have had years earlier.

The structural lesson is the consistent one: any protocol that reads a Curve or Balancer pool's internal state (virtual price, BPT rate) to value collateral must check the pool's reentrancy-lock status before consuming the value, because the pool's reported price is temporarily wrong during its own state mutations. Curve and Balancer both published explicit integration guidance on this; the recurrence reflects how many lending protocols integrated pool-rate reads written before, or without awareness of, that guidance.

The full recovery via negotiation also makes Sturdy a representative case of the increasingly-dominant resolution pattern for sub-$10M exploits in 2023+: the attacker, facing improving on-chain forensics and a credible bounty offer, finds returning the funds to be the rational choice. The economic logic — a guaranteed bounty versus the uncertain, slow, and increasingly-traceable proceeds of laundering — has made "exploit, negotiate, return for a bounty" a recognisable sub-genre, and Sturdy's $800K / 100% return is a clean instance of it.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-sturdy-finance-hack-june-2023
  2. [02]medium.comhttps://medium.com/neptune-mutual/understanding-sturdy-finance-exploit-ee365fab987a
  3. [03]rekt.newshttps://rekt.news/sturdy-rekt

Related filings