The head of the newly hacked decentralized finance protocol SIR.trading has issued a heartfelt request to the perpetrator, urging them to return approximately 70% of the customer funds that were taken, as the survival of the protocol hangs in the balance.
“I propose that you keep $100k as your fair compensation for identifying such a critical bug and return the rest,” stated the pseudonymous founder, known as “Xatarrer,” in an onchain message directed at the attacker following the $355,000 breach on March 30.
“Let’s settle this. No legal drama, no complications,” they added.
Xatarrer shared that SIR.trading was created after four years of dedicated late-night programming and $70,000 sourced from friends and supporters, without any external venture capital.
“We grew to $400k TVL organically, without any advertising. If you retain all of the funds, our chances of survival are nonexistent,” stated Xatarrer.
They even commended the hacker for their skillful execution, remarking that the hack was “almost beautiful, if it weren’t for the loss of so many funds.”
The hacker has yet to respond and has already funneled the stolen assets into an Ethereum privacy solution known as Railgun, as indicated by data from Ethereum block explorer Etherscan.
Initially on March 30, Xatarrer mentioned that the SIR.trading team was committed to keeping the protocol operational despite this setback. “We have already begun strategizing our next steps. Those affected by the breach will not be overlooked,” they asserted on March 31.
### Hack Resulted from Feature Added to Ethereum’s Dencun Upgrade
The attacker exploited a callback function tied to the protocol’s “vulnerable contract Vault,” which utilizes Ethereum’s transient storage feature.
They successfully substituted the actual Uniswap pool address used in this callback function with one under their control, allowing them to divert the vault funds to their own address by repeatedly triggering the callback function until the entire value locked in the protocol was drained.
This transient storage feature was introduced to Ethereum in the March 2024 Dencun upgrade to provide users with lower gas fees compared to traditional storage options.
SIR.trading’s documentation presented it as “a new DeFi protocol for safer leverage,” intending to address various challenges often faced in leveraged trading, including volatility decay and liquidation risks.
In a report from blockchain security firm CertiK, it was noted that losses to crypto exploits and scams fell to $28.8 million in March, with about $4.8 million recovered after hackers from the 1inch Resolver incident returned the stolen money.
February had been a particularly challenging month for crypto scams and exploits, highlighted by a $1.4 billion hack involving Bybit.