DeFi protocol SIR.trading loses entire $355K TVL following exploit

Ethereum-based DeFi protocol SIR.trading, also known as Synthetics Implemented Right, was completely drained in an exploit on Mar. 30, losing all $355,000 of its total value locked. TenArmor, a blockchain security firm, was the first to report the attack on a Mar. 30 post o. X. TenArmor flagged several suspicious transactions and pointed out that the stolen funds had been transferred to RailGun, a privacy platform that helps hide transactions. Later, security platform Decurity, revealed that the hacker took advantage of a flaw in SIR.trading’s Vault contract, specifically in a function called “uniswapV3SwapCallback.” Decurity referred to the hack as a “clever attack.” Synthetics Implemented Right @leveragesir has been hacked for $355k This is a clever attack. In the vulnerable contract Vault ( https://t.co/RycDbFY5Xq ) there is a uniswapV3SwapCallback function that uses transient storage to verify the caller. Specifically, it loads an address… pic.twitter.com/u6PhksPV31 — Decurity (@DecurityHQ) March 30, 2025 In another X post, blockchain researcher Yi explained that the vulnerability was due to how the contract verified transactions. Typically, it should only permit transactions from a Uniswap ( UNI ) pool or other reliable source. However, the contract relied on transient storage, a temporary storage technique that was introduced in Ethereum’s ( ETH ) EIP-1153 upgrade, also known as the Dencun hard fork . You might also like: Abracadabra has restored 50% of its loss after suffering $13m hack The problem? Transient storage resets only after a transaction ends, but the contract was manipulated by the hacker overwrite important security data while it was still running. The hacker proceeded to trick the contract into trusting their fake address. https://twitter.com/suplabsyi/status/1906353837553946735?s=46&t=nznXkss3debX8JIhNzHmzw They did this by brute-forcing a unique vanity address, enabling the contract to register their fake address as a legitimate one. The hacker then utilized a custom contract to drain all the funds from SIR.trading’s vault. The anonymous creator of SIR.trading, Xatarrer, acknowledged the attack after it happened, calling it “the worst news a protocol could receive.” They asked for community feedback on what to do next and expressed interest in rebuilding despite the loss. Since this attack may be among the first instances of hackers exploiting this new Ethereum feature in the real world, it raises questions regarding the security of transient storage. Security experts caution that unless developers build stronger safeguards into their smart contracts, similar attacks may occur. Read more: Crypto hack leads to $8.4m loss for RWA restaking protocol Zoth