TLDR:
- SIR.trading (Synthetics Implemented Right) was completely drained of $355,000 TVL on March 30, 2025
- The exploit targeted a vulnerability in the protocol’s Vault contract, specifically in the “uniswapV3SwapCallback” function
- Hackers took advantage of Ethereum’s transient storage feature introduced in the Dencun hard fork
- The anonymous creator Xatarrer acknowledged the attack as “the worst news a protocol could receive”
- Security experts warn this may be one of the first real-world attacks exploiting Ethereum’s transient storage feature
The Exploit Unfolds
Ethereum-based DeFi protocol SIR.trading was completely drained in an exploit on March 30, 2025. The attack resulted in the loss of its entire total value locked (TVL) of $355,000.
TenArmor, a blockchain security firm, was first to report the attack on X. They flagged several suspicious transactions and noted that the stolen funds had been transferred to RailGun, a privacy platform that helps hide transactions.
🚨TenArmor Security Alert🚨
Our system has detected a suspicious attack involving #SIR.trading @leveragesir on #ETH, resulting in an approximately loss of $353.8K.
The stolen funds have been deposited into RailGun.
Attack transaction: https://t.co/W5SRnzKjDF… pic.twitter.com/e1OOQoKbhz
— TenArmorAlert (@TenArmorAlert) March 30, 2025
The protocol, also known as Synthetics Implemented Right, was designed to provide “safer leverage” for DeFi traders. It aimed to address challenges in leveraged trading such as volatility decay and liquidation risks.
Security platform Decurity later revealed details about the exploit. They described it as a “clever attack” targeting a flaw in SIR.trading’s Vault contract, specifically in a function called “uniswapV3SwapCallback.”
Synthetics Implemented Right @leveragesir has been hacked for $355k
This is a clever attack. In the vulnerable contract Vault (https://t.co/RycDbFY5Xq) there is a uniswapV3SwapCallback function that uses transient storage to verify the caller. Specifically, it loads an address… pic.twitter.com/u6PhksPV31
— Decurity (@DecurityHQ) March 30, 2025
Technical Details of the Attack
Blockchain researcher Yi from Supremacy explained the vulnerability in detail. The issue stemmed from how the contract verified transactions.
Typically, smart contracts should only permit transactions from trusted sources like a Uniswap pool. However, SIR.trading’s contract had a critical security flaw.
The contract relied on transient storage, a temporary storage technique introduced in Ethereum’s EIP-1153 upgrade. This feature was part of the recent Dencun hard fork.
The problem occurred because transient storage resets only after a transaction ends. The hacker manipulated the contract by overwriting important security data while the transaction was still running.
The attacker brute-forced a unique vanity address. This allowed the contract to register their fake address as a legitimate one.
Using this technique, the hacker tricked the contract into trusting their malicious address. They then used a custom contract to drain all funds from SIR.trading’s vault.
By repeatedly calling the compromised callback function, the attacker was able to redirect the entire TVL to addresses under their control. The execution was methodical and complete.
Aftermath and Implications
Xatarrer, the anonymous creator of SIR.trading, acknowledged the attack after it happened. They described it as “the worst news a protocol could receive.”
Despite the devastating loss, Xatarrer expressed interest in rebuilding the protocol. They asked for community feedback on what steps to take next.
TenArmorSecurity reported that the stolen funds have been deposited into an address funded through Ethereum privacy solution Railgun. Xatarrer has reached out to Railgun for assistance.
Security experts note this may be among the first instances of hackers exploiting Ethereum’s transient storage feature in the real world. The feature was added to Ethereum with last year’s Dencun upgrade.
According to SupLabsYi, transient storage is still a “nascent feature.” The attack may expose broader vulnerabilities beyond this single incident.
“This isn’t merely a threat aimed at a single instance of uniswapV3SwapCallback,” SupLabsYi warned on X. The implications could extend to other protocols using similar mechanisms.
The SIR.trading documentation did acknowledge potential risks. It warned users that despite being audited, its smart contracts could still contain bugs leading to financial losses.
The documentation specifically highlighted the platform’s vaults as a particular area of vulnerability. This warning proved prescient given the nature of the attack.
Security experts caution that unless developers build stronger safeguards into their smart contracts, similar attacks may occur. The incident serves as a warning for protocols utilizing Ethereum’s transient storage.
The exploitation of this new Ethereum feature raises questions about the security implications of the Dencun hard fork. Developers may need to reassess how they implement transient storage in their contracts.
As the DeFi space continues to evolve, this hack underscores the ongoing security challenges. Even smaller protocols can become targets for sophisticated exploits.
Stay Ahead of the Market with Benzinga Pro!
Want to trade like a pro? Benzinga Pro gives you the edge you need in today's fast-paced markets. Get real-time news, exclusive insights, and powerful tools trusted by professional traders:
- Breaking market-moving stories before they hit mainstream media
- Live audio squawk for hands-free market updates
- Advanced stock scanner to spot promising trades
- Expert trade ideas and on-demand support
