Summary
Sturdy V1 was a DeFi lending protocol on Ethereum and Fantom that offered interest-free borrowing by routing collateral into yield-bearing positions via third-party protocols such as Lido, Curve, and Yearn Finance. On June 12, 2023, the protocol suffered a read-only reentrancy exploit that drained approximately 442 ETH (roughly $800,000) from its lending pools by manipulating the Balancer B-stETH-STABLE price oracle. Stolen funds were laundered through Tornado Cash within 20 minutes and were never recovered, despite a $100,000 bounty offer to the attacker. ZachXBT flagged the protocol in connection with the exploit. Sturdy subsequently launched a redesigned V2 architecture.
Connected Entities
1 entitiesTimeline(8 events)
2022-03-01
Sturdy Finance launches on Fantom mainnet
2022-01-25
CertiK audit of Sturdy Finance completed; Balancer dependency explicitly excluded from scope
2022-06-03
Sturdy Finance launches on Ethereum mainnet
2023-02-01
Balancer issues vulnerability notice warning dependent protocols about read-only reentrancy risk; Sturdy Finance allegedly does not implement recommended protections
2023-06-12
Read-only reentrancy exploit drains 442.6 ETH (~$800K) from Sturdy V1; attacker uses $191M Aave flash loan; stolen funds moved to Tornado Cash within 20 minutes; PeckShield and BlockSec report the attack
2023-06-13
Founder Sam Forman publicly addresses exploit; Sturdy sends on-chain message to attacker offering $100,000 bounty and no-prosecution pledge
2023-06-16
Sturdy Finance reopens stablecoin market; TVL has declined from ~$12.8M to ~$10.78M
2023-07-01
Sturdy V2 architecture announced with isolated lending pairs and two-tier modular design
Decision Log
- hash: Fs5zX9XgYpnssc61ZtjEwpi1Dep3d8Mu2ARZJ7ijQMrS
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-6
generated: 5/4/2026, 2:54:41 AM
last updated: 5/29/2026, 5:03:34 PM
avoid.net — verified advice for a post-truth world