💥Exploit & Relaunch

What Went Wrong, and What Comes Next

Incident Overview

On March 30, 2025, SIR Trading's vault was drained of its entire $355 K TVL when an attacker weaponized Ethereum's new transient storage (TSTORE/TLOAD) feature:

  1. Setup

    • Attacker deployed a custom Uniswap V3 pool and initialized a vault in our Vault contract.

    • During uniswapV3SwapCallback, the transient storage slot at position 1 was used to verify the caller was a Uniswap pool, however by the end of the execution that slot was overwritten by tstore(1, amount), leaving stale data.

  2. Vanity‐Address Exploit

    • By brute‐forcing a CREATE2 address whose numeric value equaled the forged mintAmount, the attacker passed our pool-address check.

    • They repeatedly invoked uniswapV3SwapCallback, siphoning all collateral through the compromised slot.

  3. Stolen Funds Trail

Root cause: our callback logic did not clear or re-validate the transient‐storage slot between operations, allowing a crafted value to masquerade as the pool address.

Our Emergency Response

When the exploit hit, we sprang into action using our protocol’s built-in safety guardrails:

  1. Emergency Mode Activated We suspended all new deposits to stop any further loss while still allowing users to withdraw their funds.

  2. Shutdown After 20 days we have permanently locked the protocol to ensure nobody will ever use it.

Relaunch Complete

After the exploit, we took comprehensive steps to ensure the protocol's security:

  1. Four Security Audits Completed We successfully completed four thorough security audits. All audit reports are available at https://www.sir.trading/audits.

  2. Protocol is Live Again SIR Trading has been successfully relaunched and is now live at https://app.sir.trading.

The protocol has been rebuilt with enhanced security measures and thoroughly vetted by multiple independent auditors to ensure the safety of user funds.

PreviousAlternative Frontend (IPFS)

Last updated

Was this helpful?