Ethereum-based Defi Protocol Sir.Trading, also known as the synthetic right, has been hacked and the entire value locked during attack is locked (TVL) – $355,000 lost.
The March 30 hack was first detected by blockchain security companies Tenarmoralert and Decurity. Both posted warnings to X to warn users of the protocol.
The founder of the protocol, known only as Xatarrer, described the hack as “the worst news that the protocol can receive (sic),” but suggested that the team intends to continue the protocol despite the setback.
Source: sir. Trading with x
“An elegant attack” targeted contract vaults
Decurity described Hack as a “clever attack” targeting callback functions used in “vulnerable contract retention” for protocols that take advantage of Ethereum's transient storage capabilities.
According to Decurity, the attacker was able to replace the actual UnisWap pool address used in this callback function with an address under the hacker's control, allowing the vault funds to be redirected to the address. Tenarmoralert further explained that by repeatedly calling this callback function, the attacker can completely drain the TVL of the protocol.
Source:Decurity
Blockchain security company hegemony Suplabsyi has detailed the X-Post attack and said it could indicate a temporary storage security flaw in Ethereum.
Last year's DenCun upgrade added temporary storage to Ethereum. This new feature allows temporary storage of data that leads to lower gas prices than regular storage.
According to Suplabsyi, it remains a “early feature” and the attack may be one of the first attacks to exploit that vulnerability.
“This is not just a threat targeting a single instance of Uniswapv3swapcallback,” says Suplabsyi.
Tenarmorsecurity said the stolen funds are currently deposited at addresses funded through the Ethereum Privacy Solution Railgun. Xatarrer then contacted Railgun for assistance.
Related: Defi Hacks fell 40% in 2024, with CEFI violations violating $694 million – Hacken
The Sir.Trading documentation shows that it was billed as a “new Defi protocol for safer leverage.” The defined purpose of the protocol was to address some of the challenges of leveraged trading. “Improve safety for long-term investments, including volatility collapse and liquidation risks.”
Although it was intended for a safer leverage transaction, the protocol documentation warned users that despite being audited, smart contracts could contain bugs that could lead to financial losses.
“Undiscovered bugs or exploits of SIR smart contracts can lead to loss of funds. These can be attributed to complex logic or leverage calculations in vault mechanics that have failed to organize the audit.
Magazine: What is Native Rollup? A complete guide to the latest innovations in Ethereum
Arabic
Chinese (Simplified)
Dutch
English
French
German
Italian
Portuguese
Russian
Spanish