{"id":22557,"date":"2025-03-31T11:59:39","date_gmt":"2025-03-31T08:59:39","guid":{"rendered":"https:\/\/forklog.com\/en\/cunning-attack-on-sir-trading-protocol-wipes-out-tvl\/"},"modified":"2025-03-31T11:59:39","modified_gmt":"2025-03-31T08:59:39","slug":"cunning-attack-on-sir-trading-protocol-wipes-out-tvl","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/cunning-attack-on-sir-trading-protocol-wipes-out-tvl\/","title":{"rendered":"Cunning Attack on SIR.trading Protocol Wipes Out TVL"},"content":{"rendered":"<p>On March 30, the DeFi protocol SIR.trading on the Ethereum network, also known as Synthetics Implemented Right, lost $355,000 of its <span data-descr=\"total value locked\" class=\"old_tooltip\">TVL<\/span> due to a hack. Analysts from <a href=\"https:\/\/x.com\/TenArmorAlert\/status\/1906268185046745262\">TenArmorAlert<\/a> and <a href=\"https:\/\/x.com\/DecurityHQ\/status\/1906270316935942350\">Decurity<\/a> were the first to notice the incident.<\/p>\n<p>The latter reported that the target of the &#8220;cunning attack&#8221; was a function of the &#8220;vulnerable contract Vault,&#8221; which uses Ethereum&#8217;s transient storage to verify the caller. <\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Synthetics Implemented Right <a href=\"https:\/\/twitter.com\/leveragesir?ref_src=twsrc%5Etfw\">@leveragesir<\/a> has been hacked for $355k<\/p>\n<p>This is a clever attack. In the vulnerable contract Vault (<a href=\"https:\/\/t.co\/RycDbFY5Xq\">https:\/\/t.co\/RycDbFY5Xq<\/a>) there is a uniswapV3SwapCallback function that uses transient storage to verify the caller. Specifically, it loads an address\u2026 <a href=\"https:\/\/t.co\/u6PhksPV31\">pic.twitter.com\/u6PhksPV31<\/a><\/p>\n<p>\u2014 Decurity (@DecurityHQ) <a href=\"https:\/\/twitter.com\/DecurityHQ\/status\/1906270316935942350?ref_src=twsrc%5Etfw\">March 30, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to Decurity, the attacker initially <span data-descr=\"brute force\" class=\"old_tooltip\">brute-forced<\/span> a vanity address and provided the necessary arguments to issue the required number of tokens, as the amount value points to a controlled address. He then replaced the actual loaded Uniswap pool address with his own wallet. By repeatedly calling this function, he completely drained the protocol&#8217;s TVL, added TenArmorAlert.<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p lang=\"en\" dir=\"ltr\">The root cause lies in the transient storage collision in the uniswapV3SwapCallback function, which uses slot 1 both for the Uniswap pool address and the minted token amount.<\/p>\n<p>The attacker initialized a malicious vault and manipulated the minted amount to exactly equal a\u2026 <a href=\"https:\/\/t.co\/198A5Wrsbq\">pic.twitter.com\/198A5Wrsbq<\/a><\/p>\n<p>\u2014 TenArmorAlert (@TenArmorAlert) <a href=\"https:\/\/twitter.com\/TenArmorAlert\/status\/1906288719898005848?ref_src=twsrc%5Etfw\">March 30, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Analyst SupLabsYi from Supremacy <a href=\"https:\/\/x.com\/SuplabsYi\/status\/1906357338191302717\">concluded<\/a> that the attack demonstrates a potential security vulnerability of Ethereum&#8217;s transient storage. This feature was added to the network during last year&#8217;s Dencun update to reduce commission costs.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>&#8220;This is not just a threat aimed at a single instance of uniswapV3SwapCallback,&#8221; noted expert SupLabsYi, suggesting to protect the function by <a href=\"https:\/\/x.com\/SuplabsYi\/status\/1906359816043323399\">adding<\/a> a &#8220;state checkpoint.&#8221;<\/p>\n<\/blockquote>\n<p>The founder of the SIR.trading protocol, known as Xatarrer, described the hack as &#8220;the worst news&#8221; possible. However, he added that the team intends to try to keep the protocol operational.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">So we go the worst news a protocol could received and got hacked for our entire TVL ($355k).<\/p>\n<p>I (<a href=\"https:\/\/twitter.com\/Xatarrer?ref_src=twsrc%5Etfw\">@Xatarrer<\/a>) would like to not throw the towel here as I truly believe in SIR.<\/p>\n<p>If you also believe in the core protocol and have any idea on how to proceed forward, please DM. <a href=\"https:\/\/t.co\/FD6QxwfXP4\">https:\/\/t.co\/FD6QxwfXP4<\/a><\/p>\n<p>\u2014 SIR.trading (?^?) (@leveragesir) <a href=\"https:\/\/twitter.com\/leveragesir\/status\/1906320010210902298?ref_src=twsrc%5Etfw\">March 30, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Experts from TenArmorSecurity <a href=\"https:\/\/x.com\/TenArmorAlert\/status\/1906268185046745262\">recorded<\/a> the movement of the stolen assets to the Ethereum mixer Railgun. Xatarrer reached out to the service team for help in recovering the funds. <\/p>\n<p>SIR.trading positioned itself as a &#8220;new DeFi protocol for safer leverage.&#8221; The project&#8217;s documentation contains a <a href=\"https:\/\/docs.sir.trading\/protocol-overview\/user-risks\">warning<\/a> about potential errors in smart contracts that could lead to financial losses. <\/p>\n<p>Back in September 2024, a hacker <a href=\"https:\/\/forklog.com\/en\/news\/hacker-compromises-dai-deployment-address-across-most-l2-networks\">compromised<\/a> the DAI deploy address in almost all L2 networks.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On March 30, the DeFi protocol SIR.trading on the Ethereum network, also known as Synthetics Implemented Right, lost $355,000 of its TVL due to a hack. Analysts from TenArmorAlert and Decurity were the first to notice the incident. The latter reported that the target of the &#8220;cunning attack&#8221; was a function of the &#8220;vulnerable contract [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":22556,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44,1093,46,1424],"class_list":["post-22557","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime","tag-defi","tag-ethereum","tag-protocols"],"aioseo_notices":[],"amp_enabled":true,"views":"67","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/22557","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=22557"}],"version-history":[{"count":0,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/22557\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/22556"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=22557"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=22557"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=22557"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}