TLDR
SIR.trading DeFi protocol lost its entire $355K TVL in a hack on March 30, 2025
The attack exploited a vulnerability in the protocol’s Vault contract by manipulating a callback function
This may be one of the first real-world attacks targeting Ethereum’s transient storage feature introduced in the Dencun upgrade
The stolen funds were transferred to an address funded through Railgun, an Ethereum privacy solution
Despite the setback, the protocol’s founder (Xatarrer) indicated interest in continuing the project
Ethereum-based DeFi protocol SIR.trading was completely drained of funds in a hack on March 30, 2025. The attack resulted in the loss of approximately $355,000, which represented the protocol’s entire total value locked (TVL).
The hack was first detected by blockchain security firms TenArmorAlert and Decurity. Both companies posted warnings on X (formerly Twitter) to alert users of the breach.
TenArmor Security Alert
Our system has detected a suspicious attack involving #SIR.trading @leveragesir on #ETH, resulting in an approximately loss of $353.8K.
The stolen funds have been deposited into RailGun.
Attack transaction: https://t.co/W5SRnzKjDF… pic.twitter.com/e1OOQoKbhz
— TenArmorAlert (@TenArmorAlert) March 30, 2025
SIR.trading, which stands for Synthetics Implemented Right, was designed as “a new DeFi protocol for safer leverage.” The platform aimed to address common challenges in leveraged trading such as volatility decay and liquidation risks.
The protocol’s founder, known only by the pseudonym Xatarrer, described the incident as “the worst news a protocol could receive.” Despite this major setback, Xatarrer suggested the team plans to continue developing the protocol.
So we go the worst news a protocol could received and got hacked for our entire TVL ($355k).
I (@Xatarrer) would like to not throw the towel here as I truly believe in SIR.
If you also believe in the core protocol and have any idea on how to proceed forward, please DM. https://t.co/FD6QxwfXP4
— SIR.trading (
^
) (@leveragesir) March 30, 2025
Security experts have described the attack as “clever.” It specifically targeted a callback function in the protocol’s Vault contract that leverages Ethereum’s transient storage feature.
According to an analysis by Decurity, the attacker was able to replace the real Uniswap pool address with an address they controlled. This allowed them to redirect funds from the vault to their own address.
TenArmorAlert explained that by repeatedly calling this callback function, the hacker drained the protocol’s entire TVL. The stolen funds have reportedly been deposited into an address funded through Railgun, an Ethereum privacy solution.
Exploiting Ethereum’s New Feature
SupLabsYi from blockchain security firm Supremacy provided more technical details about the attack. They noted that it may demonstrate a security flaw in Ethereum’s transient storage feature.
6/ What’s striking is that transient storage, introduced via EIP-1153 in the Dencun hard fork, is still a nascent feature. This may be one of the first real-world attacks exploiting its vulnerabilities, may signal further changes in attack trends.https://t.co/8du3e1IVDV
— Yi (@SuplabsYi) March 30, 2025
Transient storage was added to Ethereum with the Dencun upgrade last year. This feature allows for temporary storage of data and leads to lower gas fees than regular storage options.
Security researchers believe this may be one of the first attacks to exploit vulnerabilities in this new feature. SupLabsYi warned that “this isn’t merely a threat aimed at a single instance of uniswapV3SwapCallback.”
The vulnerability seems related to how the SIR.trading contract verified transactions. Typically, smart contracts should only permit transactions from trusted sources like a Uniswap pool.
However, the contract relied on transient storage, which resets only after a transaction ends. The hacker exploited this by overwriting important security data while the transaction was still running.
According to blockchain researcher Yi, the attacker brute-forced a unique vanity address. This enabled the contract to register their fake address as legitimate.
The hacker then used a custom contract to drain all funds from SIR.trading’s vault. Xatarrer has reached out to Railgun for assistance in potentially tracking or recovering the stolen funds.
Interestingly, SIR.trading’s documentation did warn users about potential risks. It stated that despite being audited, its smart contracts could still contain bugs that might lead to financial losses.
The documentation specifically highlighted the platform’s vaults as a particular area of vulnerability. It warned that “undiscovered bugs or exploits in SIR’s smart contracts could lead to fund losses.”
This incident raises questions about the security of transient storage in Ethereum. Security experts caution that unless developers implement stronger safeguards in their smart contracts, similar attacks could occur in the future.
