Synthetics Implemented Right (SIR.trading), an Ethereum-based DeFi protocol, suffered a devastating hack on March 30, 2025. The attack resulted in the loss of the entire $355,000 total value locked (TVL) at the time. The breach was first detected by blockchain security firms TenArmorAlert and Decurity, which swiftly issued warnings on social media. The founder, Xatarrer, acknowledged the severity of the breach, calling it “the worst news” for the protocol, but suggested that efforts would be made to keep the protocol active.
The attack targeted a specific vulnerability in the protocol’s contract vault, which used Ethereum’s transient storage feature. Decurity described the hack as a “clever attack” that exploited a callback function in the vault’s code. The attacker replaced the real Uniswap pool address with an address under their control, allowing them to redirect the funds. By continuously invoking the callback function, the hacker drained the vault’s entire balance.
The attack also raised concerns about the security of Ethereum’s transient storage, a feature introduced in the Dencun hard fork. According to blockchain security expert SupLabsYi, this may be one of the first significant attacks exploiting the vulnerabilities in transient storage. While Ethereum’s transient storage reduces gas fees by offering temporary data storage, it remains a nascent feature. This attack, which leveraged a flaw in the feature, could signal emerging risks in its use.
Despite the loss, the team behind SIR.trading remains determined to continue operations. The stolen funds were sent to an address linked to the Ethereum privacy solution Railgun. Xatarrer reached out to Railgun for help in tracing and recovering the funds. The protocol had previously marketed itself as a safer DeFi platform for leveraged trading, but its documentation highlighted the risk of bugs in its smart contracts, including the vulnerability that led to this breach.
Reference:
