A DeFi protocol built on Ethereum, known as SIR.trading, has faced a devastating hack, leading to the loss of its entire total value locked (TVL)—which amounted to $355,000 at the time of the breach.
The incident on March 30 was first identified by blockchain security companies, which took to social media to warn users about the compromised protocol.
The founder of the protocol, referred to as Xatarrer, described the hack as “the worst news a protocol could receive,” but expressed determination from the team to continue operations despite this setback.
Image courtesy of SIR.trading
“Clever attack” targets contract vault
The hack was characterized as a “clever attack,” focusing on a callback function utilized within the protocol’s “vulnerable contract Vault,” which exploits Ethereum’s transient storage functionality.
As per experts, the malicious actor managed to substitute the legitimate Uniswap pool address in this callback function with one they controlled, enabling them to reroute funds from the vault to their own address. Further explanation suggested that by repeatedly invoking this callback function, the attacker successfully drained the entire TVL of the protocol.
Image courtesy of Decurity
An analyst from a blockchain security firm elaborated on the hack, indicating that it may reveal a security weakness in Ethereum’s transient storage system.
This feature was introduced with last year’s Dencun upgrade, facilitating temporary data storage resulting in lower gas fees compared to traditional storage methods.
The analyst noted this is still a “nascent feature,” and the breach may represent one of the first incidents exploiting its weaknesses.
“This isn’t just a threat directed at a single instance of uniswapV3SwapCallback,” the analyst commented.
The security company confirmed that the stolen assets have been moved to an address linked to the Ethereum privacy solution Railgun. Xatarrer has since reached out to Railgun for support.
Related: DeFi hacks plummet 40% in 2024, with centralized finance breaches spiking to $694M
SIR.trading was marketed as “a new DeFi protocol for safer leverage.” Its goal was to tackle some issues associated with leveraged trading, such as volatility decay and liquidation risks, aiming to make long-term investing safer.
Despite its focus on more secure leveraged trading, the protocol’s documentation did caution users that even after audits, its smart contracts could still potentially harbor bugs that might lead to financial losses, particularly noting the vaults as vulnerable areas.
“Undiscovered bugs or exploits in SIR’s smart contracts could result in fund losses. These issues might arise from complex logical operations within vault mechanisms or leverage calculations that audits did not catch, exposing users to rare but critical failures,” the project’s documentation warns.
Magazine: What are native roll-ups? A complete guide to Ethereum’s newest innovation