Cunning Attack on SIR.trading Protocol Wipes Out TVL

On March 30, the DeFi protocol SIR.trading on the Ethereum network, also known as Synthetics Implemented Right, lost $355,000 of its TVL due to a hack. Analysts from TenArmorAlert and Decurity were the first to notice the incident.

The latter reported that the target of the “cunning attack” was a function of the “vulnerable contract Vault,” which uses Ethereum’s transient storage to verify the caller.

Synthetics Implemented Right @leveragesir has been hacked for $355k

This is a clever attack. In the vulnerable contract Vault (https://t.co/RycDbFY5Xq) there is a uniswapV3SwapCallback function that uses transient storage to verify the caller. Specifically, it loads an address… pic.twitter.com/u6PhksPV31

— Decurity (@DecurityHQ) March 30, 2025

According to Decurity, the attacker initially brute-forced a vanity address and provided the necessary arguments to issue the required number of tokens, as the amount value points to a controlled address. He then replaced the actual loaded Uniswap pool address with his own wallet. By repeatedly calling this function, he completely drained the protocol’s TVL, added TenArmorAlert.

The root cause lies in the transient storage collision in the uniswapV3SwapCallback function, which uses slot 1 both for the Uniswap pool address and the minted token amount.

The attacker initialized a malicious vault and manipulated the minted amount to exactly equal a… pic.twitter.com/198A5Wrsbq

— TenArmorAlert (@TenArmorAlert) March 30, 2025

Analyst SupLabsYi from Supremacy concluded that the attack demonstrates a potential security vulnerability of Ethereum’s transient storage. This feature was added to the network during last year’s Dencun update to reduce commission costs.

“This is not just a threat aimed at a single instance of uniswapV3SwapCallback,” noted expert SupLabsYi, suggesting to protect the function by adding a “state checkpoint.”

The founder of the SIR.trading protocol, known as Xatarrer, described the hack as “the worst news” possible. However, he added that the team intends to try to keep the protocol operational.

So we go the worst news a protocol could received and got hacked for our entire TVL ($355k).

I (@Xatarrer) would like to not throw the towel here as I truly believe in SIR.

If you also believe in the core protocol and have any idea on how to proceed forward, please DM. https://t.co/FD6QxwfXP4

— SIR.trading (?^?) (@leveragesir) March 30, 2025

Experts from TenArmorSecurity recorded the movement of the stolen assets to the Ethereum mixer Railgun. Xatarrer reached out to the service team for help in recovering the funds.

SIR.trading positioned itself as a “new DeFi protocol for safer leverage.” The project’s documentation contains a warning about potential errors in smart contracts that could lead to financial losses.

Back in September 2024, a hacker compromised the DAI deploy address in almost all L2 networks.