Ethereum-based DeFi protocol SIR.trading, also known as Synthetics Implemented Right, has been hacked, resulting in the loss of its entire total value locked (TVL) — $355,000 at the time of the attack. 

The March 30 hack was initially detected by blockchain security firms TenArmorAlert and Decurity, both of which posted warnings on X to alert users of the protocol.

The protocol’s founder, known only as Xatarrer, described the hack as “the worst news a protocol could received [sic],” but suggested the team intends to try to keep the protocol going despite the setback.

Source: SIR.trading on X 

“Clever attack” targeted contract vault

Decurity described the hack as a “clever attack” that targeted a callback function used in the protocol’s “vulnerable contract Vault” which leverages Ethereum’s transient storage feature. 

According to Decurity, the attacker was able to replace the real Uniswap pool address used in this callback function with an address under the hacker’s control, allowing them to redirect the funds in the vault to their address. TenArmorAlert further explained that by repeatedly calling this callback function, the attacker was able to fully drain the protocol’s TVL.

Source: Decurity 

SupLabsYi, from blockchain security firm Supremacy, went into more detail on the attack in an X post, stating it may demonstrate a security flaw in Ethereum’s transient storage. 

Transient storage was added to Ethereum with last year’s Dencun upgrade. The new feature allows for temporary storage of data leading to lower gas fees than regular storage.  

According to SupLabsYi, it’s still a “nascent feature,” and the attack may be one of the first to exploit its vulnerabilities.

“This isn’t merely a threat aimed at a single instance of uniswapV3SwapCallback,” SupLabsYi said.

TenArmorSecurity said the stolen funds have now been deposited into an address funded through the Ethereum privacy solution Railgun. Xatarrer has since reached out to Railgun for assistance. 

Related: DeFi hacks drop 40% in 2024, CeFi breaches surge to $694M — Hacken

SIR.trading’s documentation shows that it was billed as “a new DeFi protocol for safer leverage.” The stated purpose of the protocol was to address some of the challenges of leveraged trading, “such as volatility decay and liquidation risks, making it safer for long-term investing.”

While it aimed for safer leveraged trading, the protocol’s documentation did warn users that despite being audited, its smart contracts could still contain bugs that could lead to financial losses — highlighting the platform’s vaults as a particular area of vulnerability.

“Undiscovered bugs or exploits in SIR’s smart contracts could lead to fund losses. These might stem from complex logic in vault mechanics or leverage calculations that audits failed to catch, exposing users to rare but critical failures,” the project’s documentation states.

Magazine: What are native rollups? Full guide to Ethereum’s latest innovation