# Exploit & Relaunch

## Incident Overview

On **March 30, 2025**, SIR Trading's vault was drained of its entire $355 K TVL when an attacker weaponized Ethereum's new **transient storage** (TSTORE/TLOAD) feature:

1. **Setup**
   * Attacker deployed a custom Uniswap V3 pool and initialized a vault in our Vault contract.
   * During `uniswapV3SwapCallback`, the transient storage slot at position 1 was used to verify the caller was a Uniswap pool, however by the end of the execution [that slot was overwritten](https://github.com/SIR-trading/Core/blob/ba212ea3a452b81752e82d5f2b2c55b897e0451d/src/Vault.sol#L300C13-L300C30) by `tstore(1, amount)`, leaving stale data.
2. **Vanity‐Address Exploit**
   * By brute‐forcing a **CREATE2** address whose numeric value equaled the forged `mintAmount`, the attacker passed our pool-address check.
   * They repeatedly invoked `uniswapV3SwapCallback`, siphoning all collateral through the compromised slot.
3. **Stolen Funds Trail**
   * Initial funds (0.3 ETH) came from Railgun.
   * Attack TX: [`0xa05f047ddfdad9126624c4496b5d4a59f961ee7c091e7b4e38cee86f1335736f`](https://etherscan.io/tx/0xa05f047ddfdad9126624c4496b5d4a59f961ee7c091e7b4e38cee86f1335736f)
   * Attacker: `0x27defcfa6498f957918f407ed8a58eba2884768c`

{% hint style="warning" %}
**Root cause:** our callback logic did not clear or re-validate the transient‐storage slot between operations, allowing a crafted value to masquerade as the pool address.
{% endhint %}

## **Our Emergency Response**

When the exploit hit, we sprang into action using our [protocol’s built-in safety guardrails](https://github.com/SIR-trading/SIR-gitbook/blob/main/protocol-overview/beta-period.md):

1. **Emergency Mode Activated**\
   We suspended all new deposits to stop any further loss while still allowing users to withdraw their funds.
2. **Shutdown**\
   After 20 days we have permanently locked the protocol to ensure nobody will ever use it.

## **Relaunch Complete**

After the exploit, we took comprehensive steps to ensure the protocol's security:

1. **Four Security Audits Completed**\
   We successfully completed four thorough security audits. All audit reports are available at <https://www.sir.trading/audits>.
2. **Protocol is Live Again**\
   SIR Trading has been successfully relaunched and is now live at <https://app.sir.trading>.

The protocol has been rebuilt with enhanced security measures and thoroughly vetted by multiple independent auditors to ensure the safety of user funds.