Here’s how DeFi protocol SIR.trading lost its entire $355k TVL to an exploit

Attackers have exploited Synthetics Implemented Right, a decentralised finance protocol on the Ethereum blockchain, leading to the protocol losing its entire total value locked (TVL).

Known as SIR.trading, the protocol lost around $355,000 in the 30 March attack, with DeFiLlama data confirming its TVL has since dropped to zero.

SIR.trading had positioned itself as “a new DeFi protocol for safer leverage,” with the goal of reducing risks like volatility decay and liquidation. 

How was SIR.trading exploited?

Blockchain security firm Decurity called the incident a “clever attack” that exploited a vulnerability in the protocol’s vault contract. 

The issue was tied to the uniswapV3SwapCallback function, which leverages Ethereum’s transient storage, a new feature introduced in last year’s Dencun upgrade. 

According to the firm, the attacker managed to replace the legitimate Uniswap pool address in this callback function with their own, allowing them to redirect the vault’s funds.

The vault’s logic didn’t properly validate the callback source, and the use of transient storage let the attacker manipulate temporary data mid-transaction.

By repeatedly calling the vulnerable function, they were able to drain all assets from the vault.

In a separate post-incident commentary, blockchain researcher SupLabsYi of Supremacy highlighted that the attack may have exposed a broader issue with Ethereum’s transient storage itself.

He explained that transient storage only resets after the transaction ends, allowing the attacker to overwrite critical security data before the function finishes executing, adding:

What’s striking is that transient storage, introduced via EIP-1153 in the Dencun hard fork, is still a nascent feature.

This may be one of the first real-world attacks exploiting its vulnerabilities and may signal further changes in attack trends.

In this case, the attacker was able to brute-force a vanity address to make the fake pool look legitimate and used a custom contract to complete the exploit.

TenArmor, another blockchain research firm and one of the first to flag the incident on X, added that the stolen funds were quickly transferred into an address funded through the Ethereum privacy platform Railgun. 

The project’s founder, who identifies as Xatarrer, has reached out to Railgun for assistance.

In an earlier message to the community, Xatarrer described the exploit as “the worst news a protocol could receive,” but said they were open to rebuilding and called for feedback on next steps.

DeFi exploits remain a consistent threat

As DeFi continues to innovate, so do the tactics of attackers, with SIR.trading now joining a roster of exploited protocols in recent weeks.

On March 19, Four.Meme, a BNB Chain-based memecoin launch platform, suspended its token launch feature after a critical vulnerability in one of the protocol’s functions allowed an attacker to manipulate the platform’s smart contract.

Prior to this attack, Four.Meme suffered another attack on February 11, which also led to the temporary suspension of its token liquidity pool on PancakeSwap.

During the same month, decentralised lending protocol zkLend was drained of over $9 million following what the developers described as an empty market exploit. 

According to a January report from web3 security firm PeckShield, in 2024, defi protocols were the most targeted.

Crypto investors lost $3.01 billion, making a roughly 15% increase from the previous year.

The post Here’s how DeFi protocol SIR.trading lost its entire $355k TVL to an exploit appeared first on Invezz