DeFi Protocol SIR.trading Loses Entire $355K TVL

An Ethereum-based DeFi protocol called SIR.trading (Synthetics Implemented Right) has suffered a hack that wiped out its entire total value locked (TVL) of $355,000 as of the attack on March 30. 

Blockchain security firms TenArmorAlert and Decurity were the first to detect the breach and issued warnings on X to alert users. 

So we go the worst news a protocol could received and got hacked for our entire TVL ($355k).

I (@Xatarrer) would like to not throw the towel here as I truly believe in SIR.

If you also believe in the core protocol and have any idea on how to proceed forward, please DM. https://t.co/FD6QxwfXP4

— SIR.trading (??^??) (@leveragesir) March 30, 2025

The protocol’s founder, known as Xatarrer, acknowledged the hack as “the worst news a protocol could receive” but indicated that the team intends to continue operating despite the incident. 

The Attack: Exploiting the Contract Vault 

Decurity described the exploit as a “clever attack” targeting a callback function in the protocol’s vulnerable contract vault, which utilizes Ethereum’s transient storage feature. The attacker replaced the legitimate Uniswap pool address in this function with their own address, allowing them to redirect the vault’s funds to themselves. By repeatedly triggering the callback function, the attacker managed to drain the entire TVL. 

Synthetics Implemented Right @leveragesir has been hacked for $355k

This is a clever attack. In the vulnerable contract Vault (https://t.co/RycDbFY5Xq) there is a uniswapV3SwapCallback function that uses transient storage to verify the caller. Specifically, it loads an address… pic.twitter.com/u6PhksPV31

— Decurity (@DecurityHQ) March 30, 2025

According to SupLabsYi from blockchain security firm Supremacy, the attack may reveal a security flaw in Ethereum’s transient storage feature introduced in last year’s Dencun upgrade. This feature provides temporary data storage at reduced gas fees compared to regular storage. However, SupLabsYi noted that transient storage is still a developing feature, and this incident could be among the first to exploit its weaknesses. 

TenArmorSecurity reported that the stolen funds have been transferred to an address funded through the Ethereum privacy tool Railgun. Xatarrer has reached out to Railgun for assistance in recovering the stolen funds. 

SIR.trading’s documentation shows that it was billed as a “safer” leveraged trading protocol, SIR.trading aimed to address issues like volatility decay and liquidation risks, promoting itself as a better option for long-term investments. 

However, the protocol’s documentation did acknowledge potential security risks, even though the smart contracts had been audited. It warned users that undiscovered bugs or exploits, particularly within vault mechanics or leverage calculations, could result in fund losses due to complex logic or overlooked vulnerabilities. 

This incident highlights the risks associated with using new blockchain features like transient storage and underscores the importance of thorough auditing and ongoing security monitoring.