# Exploit & Relaunch

## Incident Overview

On **March 30, 2025**, SIR Trading's vault was drained of its entire $355 K TVL when an attacker weaponized Ethereum's new **transient storage** (TSTORE/TLOAD) feature:

1. **Setup**
   * Attacker deployed a custom Uniswap V3 pool and initialized a vault in our Vault contract.
   * During `uniswapV3SwapCallback`, the transient storage slot at position 1 was used to verify the caller was a Uniswap pool, however by the end of the execution [that slot was overwritten](https://github.com/SIR-trading/Core/blob/ba212ea3a452b81752e82d5f2b2c55b897e0451d/src/Vault.sol#L300C13-L300C30) by `tstore(1, amount)`, leaving stale data.
2. **Vanity‐Address Exploit**
   * By brute‐forcing a **CREATE2** address whose numeric value equaled the forged `mintAmount`, the attacker passed our pool-address check.
   * They repeatedly invoked `uniswapV3SwapCallback`, siphoning all collateral through the compromised slot.
3. **Stolen Funds Trail**
   * Initial funds (0.3 ETH) came from Railgun.
   * Attack TX: [`0xa05f047ddfdad9126624c4496b5d4a59f961ee7c091e7b4e38cee86f1335736f`](https://etherscan.io/tx/0xa05f047ddfdad9126624c4496b5d4a59f961ee7c091e7b4e38cee86f1335736f)
   * Attacker: `0x27defcfa6498f957918f407ed8a58eba2884768c`

{% hint style="warning" %}
**Root cause:** our callback logic did not clear or re-validate the transient‐storage slot between operations, allowing a crafted value to masquerade as the pool address.
{% endhint %}

## **Our Emergency Response**

When the exploit hit, we sprang into action using our [protocol’s built-in safety guardrails](https://github.com/SIR-trading/SIR-gitbook/blob/main/protocol-overview/beta-period.md):

1. **Emergency Mode Activated**\
   We suspended all new deposits to stop any further loss while still allowing users to withdraw their funds.
2. **Shutdown**\
   After 20 days we have permanently locked the protocol to ensure nobody will ever use it.

## **Relaunch Complete**

After the exploit, we took comprehensive steps to ensure the protocol's security:

1. **Four Security Audits Completed**\
   We successfully completed four thorough security audits. All audit reports are available at <https://www.sir.trading/audits>.
2. **Protocol is Live Again**\
   SIR Trading has been successfully relaunched and is now live at <https://app.sir.trading>.

The protocol has been rebuilt with enhanced security measures and thoroughly vetted by multiple independent auditors to ensure the safety of user funds.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sir.trading/protocol-overview/user-risks/exploit-and-relaunch.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.