TL;DR
- The DeFi protocol SIR.Trading was hacked on March 30, resulting in the loss of its entire locked value of $355,000.
- The attack exploited a vulnerability in Ethereum’s new transient storage system, introduced with the recent Dencun upgrade.
- Despite the major setback, the project’s team has stated its intention to continue operations and improve its security infrastructure.
The DeFi ecosystem has suffered another major blow following the confirmation that SIR.Trading, also known as Synthetics Implemented Right, lost its “entire Total Value Locked (TVL)” — approximately $355,000 USD — in a sophisticated attack that shook the crypto community.
The incident was initially detected by blockchain security firms TenArmorAlert and Decurity, who promptly issued warnings to users via the social network X. According to their assessment, the attack is one of the first known exploits targeting Ethereum’s transient storage system, introduced with last year’s Dencun upgrade.
A promising feature, but still vulnerable
Transient storage was designed to optimize Ethereum’s gas usage by allowing temporary storage of data at a lower cost. However, as its integration is still recent, this case demonstrates that it can be vulnerable if not carefully implemented.
The attacker manipulated a callback function used in SIR.Trading’s contracts, replacing the address of a legitimate Uniswap pool with one under their control. This allowed the hacker to redirect the funds from the protocol’s vault to their own wallet, repeating the process until the entire TVL was drained.
According to SupLabsYi, a security analyst at Supremacy, this exploit could represent a broader threat to other protocols relying on transient storage without robust protective measures in place.
Failure or a lesson for DeFi’s future?
Despite the attack, the lead developer of SIR.Trading, known as Xatarrer, stated that the team intends to continue with the project. The team has already reached out to Railgun — the Ethereum-based privacy solution used by the hacker to move the stolen funds — in hopes of collaborating to trace and possibly recover some of the stolen assets.
SIR.Trading positioned itself as a safer solution for leveraged trading and had clearly warned users in its documentation that its smart contracts, though audited, might still contain undiscovered bugs or vulnerabilities. The vaults, in particular, were identified as a higher-risk component due to their complex mechanics. This unfortunate event underscores the importance of responsible innovation in the DeFi space, especially when integrating new features like transient storage.
Although painful, this incident could encourage better practices and improvements in how new Ethereum functionalities are implemented, serving as a constructive warning for developers across the crypto industry.
