Ethereum-based DeFi protocol SIR.trading, known as Synthetics Implemented Right, experienced a significant hack on March 30, resulting in the loss of its entire total value locked (TVL) of $355,000. Blockchain security firms first alerted users about the breach, which targeted a callback function in the protocol’s vulnerable contract vault utilizing Ethereum’s transient storage feature. The attacker replaced the actual Uniswap pool address used in the callback function with one under their control, allowing them to redirect funds to their own address. By repeatedly invoking this callback, the attacker managed to drain the entire vault. The incident has raised concerns about potential security flaws associated with Ethereum’s transient storage, a feature introduced in the Dencun upgrade last year. SIR.trading had aimed to provide safer leveraged trading but had cautioned that despite audits, vulnerabilities could still exist. The founder, Xatarrer, described the hack as “the worst news a protocol could receive,” while stolen funds were reportedly funneled through an Ethereum privacy solution, Railgun, complicating recovery efforts.

Source 🔗