The Ethereum-based DeFi framework SIR.trading, also referred to as Synthetics Implemented Right, has fallen victim to hacking, leading to the forfeiture of its entire total value locked (TVL) — amounting to $355,000 at the moment of the breach.
The breach on March 30 was initially identified by blockchain security organizations TenArmorAlert and Decurity, both of which issued alerts on X to notify users of the protocol.
The protocol’s creator, known simply as Xatarrer, characterized the breach as “the worst news a protocol could receive [sic],” but implied that the team is determined to attempt to sustain the protocol despite the challenge.
Source: SIR.trading on X
“Ingenious attack” aimed at contract vault SIR.trading’s
Decurity referred to the breach as an “ingenious attack” that focused on a callback function utilized in the protocol’s “susceptible contract Vault,” which employs Ethereum’s transient storage capability.
According to Decurity, the perpetrator was capable of substituting the authentic Uniswap pool address utilized in this callback function with an address under the hacker’s control, enabling them to reroute the vault’s assets to their address. TenArmorAlert elaborated that by persistently invoking this callback function, the hacker was able to completely deplete the protocol’s TVL.
Source: Decurity
SupLabsYi, from the blockchain security firm Supremacy, provided further insights into the attack in an X post, mentioning that it might reveal a vulnerability in Ethereum’s transient storage.
Transient storage was introduced to Ethereum with the Dencun upgrade last year. This enhancement permits temporary data storage, resulting in reduced gas fees compared to traditional storage.
According to SupLabsYi, it remains a “developing feature,” and the attack may be one of the earliest to exploit its weaknesses.
“This is not just a threat directed at a single instance of uniswapV3SwapCallback,” SupLabsYi noted.
TenArmorSecurity stated that the siphoned assets have now been transferred to an address financed through the Ethereum privacy solution Railgun. Xatarrer has subsequently contacted Railgun for help.
Related: DeFi breaches fall by 40% in 2024, CeFi violations escalate to $694M — Hacken
SIR.trading’s documentation indicates that it was promoted as “a novel DeFi protocol for safer leverage.” The specified goal of the protocol was to tackle some of the hurdles associated with leveraged trading, “such as volatility decay and liquidation risks, making it safer for long-term investments.”
While it sought to facilitate safer leveraged trading, the protocol’s documentation did caution users that despite undergoing audits, its smart contracts might still harbor defects that could result in financial loss — underscoring the vaults on the platform as a specific area of susceptibility.
“Unidentified bugs or exploits in SIR’s smart contracts could result in financial losses. These could arise from complex logic in vault mechanics or leverage calculations that audits overlooked, exposing users to rare but significant failures,” the project’s documentation asserts.
Magazine: What are native rollups? Complete guide to Ethereum’s latest innovation
Be the first to comment