DeFi Protocol SIR.trading Loses Entire $355K TVL in 'Worst News' Possible

A devastating hack has struck DeFi protocol SIR.trading, resulting in the loss of its entire total value locked (TVL) – a staggering $355,000 at the time of the attack. The March 30th incident was initially detected by blockchain security firms TenArmorAlert and Decurity, both of which posted warnings on X to alert users of the protocol.

The founder of SIR.trading, known only as Xatarrer, described the hack as "the worst news a protocol could receive," but suggested that the team intends to try to keep the protocol going despite the setback. Decurity, however, painted a more ominous picture, describing the hack as a "clever attack" that targeted a callback function used in the protocol's "vulnerable contract Vault."

The attack, according to Decurity, was carried out by replacing the real Uniswap pool address used in this callback function with an address under the hacker's control. This allowed them to redirect the funds in the vault to their own address, effectively draining the protocol's TVL.

TenArmorAlert further explained that by repeatedly calling this callback function, the attacker was able to fully drain the protocol's TVL. SupLabsYi from blockchain security firm Supremacy went into more detail on the attack in an X post, stating it may demonstrate a security flaw in Ethereum's transient storage feature.

Transient storage was added to Ethereum with last year's Dencun upgrade, and is designed to provide temporary storage of data leading to lower gas fees than regular storage. However, according to SupLabsYi, it's still a "nascent feature," and the attack may be one of the first to exploit its vulnerabilities.

TenArmorSecurity reported that the stolen funds have now been deposited into an address funded through the Ethereum privacy solution Railgun. Xatarrer has since reached out to Railgun for assistance, highlighting the challenges of navigating the complex web of DeFi security.

A Cautionary Tale for DeFi Protocols

The hack serves as a stark reminder of the risks involved in DeFi trading and the importance of robust security measures. SIR.trading's documentation had warned users that despite being audited, its smart contracts could still contain bugs that could lead to financial losses.

"Undiscovered bugs or exploits in SIR's smart contracts could lead to fund losses," the project's documentation states. "These might stem from complex logic in vault mechanics or leverage calculations that audits failed to catch, exposing users to rare but critical failures."

What's Next for SIR.trading?

Xatarrer has expressed determination to keep the protocol going despite the setback, suggesting that the team will work tirelessly to address the vulnerabilities exposed by the hack. However, this raises questions about the long-term viability of the platform and whether users can trust it with their assets.

The Implications for Ethereum's Transient Storage Feature

Supremacy's SupLabsYi has raised concerns that the attack may be one of the first to exploit vulnerabilities in Ethereum's transient storage feature. If this is the case, it highlights the need for continued development and refinement of this nascent technology.

"Ethereum's transient storage feature is still a relatively new concept," SupLabsYi noted. "It's essential that we continue to monitor its security and make improvements as needed to prevent similar attacks in the future."