SIR.trading: Hacker steals the entire TVL of $355,000 by exploiting a vulnerability in Ethereum’s transient storage

By
In,
0

A hacker attack on the DeFi protocol SIR.trading raises crucial questions about the security of the new transient storage feature, introduced by the Dencun hard fork on the Ethereum network.

 

Summary

DeFi hacker attack on SIR.trading: $355,000 in TVL stolen

The DeFi protocol SIR.trading (Synthetics Implemented Right) was hit on March 30 by a sophisticated exploit that led to the theft of the entire Total Value Locked (TVL), amounting to 355,000 dollars.

The security team TenArmorAlert detected the attack, confirming that the hacker exploited a vulnerability in the smart contracts connected to the new transient storage mode introduced on Ethereum with the Dencun update. Decurity, another company specializing in blockchain auditing and security, also publicly raised the alert, facilitating a rapid awareness among the DeFi community.

Xatarrer, founder of the protocol, confirmed the incident on X (formerly Twitter), calling it “the worst news a protocol can receive.” Despite the severity of the event, the team expressed the intention to try to continue the project, even though they have to rebuild user trust from scratch.

How the exploit works: the vulnerability in the callback function

According to Decurity, the exploit affected a smart contract named Vault, which used transient storage to optimize gas costs. The vulnerable contract contained a callback function that the hacker managed to manipulate, replacing the original Uniswap pool address with one controlled by the attacker.

The uniswapV3SwapCallback function, commonly used to handle automated trades, was invoked multiple times with modified parameters, allowing the attacker to redirect the funds contained in the vault to their own wallet. The lack of security checks on the authenticity of the Uniswap pool made the abuse possible.

This type of attack falls into the category of logical exploits, which do not depend on obvious bugs in the code, but on design errors in the interaction between multiple contracts.

Ethereum Dencun and the emerging risks of transient storage

Thehard fork Dencun, activated on the Ethereum mainnet in March 2024, introduced new features to improve scalability, including transient storage. This allows for temporary on-chain data writing with lower gas consumption, but also involves new attack surfaces.

According to the researcher SupLabsYi of Supremacy, this attack represents one of the first direct exploits related to the new architecture:

“It is not just an error in the callback function, but a wake-up call on the very use of transient storage.”

The problem, according to several analysts, is that transient storage does not retain data between transactions, but it can be accessible within a single transaction execution, opening unpredictable scenarios if poorly implemented.

The hacker’s wallet and anonymity with Railgun

The stolen funds were transferred to a wallet powered through Railgun, an Ethereum protocol focused on privacy. The founder has already contacted the Railgun team to try to trace the funds, but the chances of recovery remain low, also due to the privacy-preserving nature of the protocol.

SIR.trading: from “safe” leverage to complete collapse

The SIR.trading project positioned itself as a DeFi platform for secure leverage trading, promising mechanisms to reduce the risks of liquidation and volatility. However, a disclaimer in the official documents warned of the possibility of bugs and exploits, even after technical audits:

“Undiscovered bugs or exploits in SIR smart contracts could lead to losses.”

The promise of a safer leverage was tragically disproven by an attack that brought the entire protocol to its knees.

Implications for DeFi and Ethereum

The exploit at SIR.trading has crucial implications:

• Highlight the limitations of smart contract audits in detecting vulnerabilities related to innovative functionalities.

• Raises doubts about the maturity of transient storage as a secure tool.

• The debate on the necessity of stricter security standards for emerging DeFi protocols is renewed.

The case of SIR.trading is reminiscent of previous episodes such as Euler Finance or BadgerDAO, where sophisticated exploits also hit projects considered solid. Unlike these, however, SIR.trading was still in its early stages, making the reputational and operational impact even more difficult to overcome.

Conclusions: a wake-up call for the entire Ethereum ecosystem

The attack on SIR.trading is a warning for developers, investors, and users:

Every innovation — like transient storage — can hide critical vulnerabilities if not thoroughly tested.

For those building in DeFi, a new culture of security is needed. For investors, the golden rule always applies: never bet more than you are willing to lose.

Previous PostNext Post

Related Posts

Deploying smart contracts on the Ethereum blockchain

First of all, one or more developers must obviously create the smart contract by writing the appropriate lines of code, and then they must send it to the Ethereum network.

In technical terms, publishing it on the Ethereum blockchain means making all the nodes in the network receive and execute it. Once published, all instructions in it will always be executed by all nodes in exactly the same way.

Therefore, not only its publication but also the execution of instructions is irreversible once it is published on the blockchain.

Therefore, what really matters are the instructions it contains – which can be the most diverse – and how many people use it. Indeed, in order for the instructions of a smart contract to actually be executed, there must be one or more transactions that invoke them.

It is also worth remembering that these instructions generally involve the use of resources, such as data or tokens, so for them to actually be executed, all the conditions set as necessary must be met. 

Sometimes this data comes from outside, thanks to so-called oracles, while sometimes it simply comes from transactions on the blockchain.

Usually, the transaction that triggers the execution of the instructions contained in a smart contract involves the payment of a fee in ETH, and in many cases in order to actually trigger the execution also involves the payment or sending of tokens specific to the smart contract itself, or other smart contracts.

Technically, smart contracts are a type of account on the Ethereum blockchain, “controlled” by the network rather than a central entity. They can store ETH or tokens, and can also send transactions on the network autonomously.

Ethereum: how do smart contracts work?

A contract in the Solidity language would be like a kind of union of a code (the functions) and data (its state) located at a specific address on the Ethereum blockchain. Each contract contains declarations of state variables, functions, function modifiers, data structures and events.

How to use Solidity from Ethereum

The MiCA regulation, which came into force with the aim of uniformly regulating the cryptocurrency sector within the European Union, imposes new conditions that particularly concern:

  • – The mandatory authorization of crypto service providers
  • – The transparency of whitepapers
  • – The reserve requirement for stablecoin issuers
  • – Surveillance on systemic risks

One of the main impacts is precisely on stablecoins, like USDT, which will have to demonstrate that they have solid, transparent, and accessible reserve assets.

The platforms that wish to maintain the trading of these tokens within the European market will need to ensure that the assets are fully compliant.

Binance closes Tether trading in Europe to comply with MiCA regulations

Leave a Reply