$355,000 Vanishes as SIR.trading Falls Victim to Smart Contract Exploit

The service, also known as Synthetics Implemented Right, was targeted in a way that allowed the attacker to move all funds out of the system.

Two blockchain security firms, Decurity and TenArmorAlert, noticed the issue and posted alerts on X to explain how the attacker used a weakness in the platform’s contract system to carry out the theft.

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

How to Store NFTs in 2023 (3 Most Secure Ways Explained)

SUBSCRIBE

ON YOUTUBE

The problem came from a feature inside SIR.trading’s vault contract that used Ethereum’s temporary storage method, according to Decurity. This feature included a callback function, which was meant to connect with a Uniswap UNI $5.50 pool. However, the attacker managed to replace the original Uniswap address with one they controlled.

Once that change was made, they could redirect funds from the vault straight to their own account by repeatedly calling this same function.

TenArmorAlert reported that the stolen funds were later transferred to an address linked to Railgun RAIL $2.56 , a tool that provides privacy on the Ethereum network. The project’s founder, who goes by the name Xatarrer, has reached out to Railgun’s team to ask for help.

Xatarrer called it “the worst news a protocol could receive” but said the team would try to continue with the project despite the loss.

On March 25, around $13 million in ETH was lost after an exploit targeted GMX-token-based pools on Abracadabra.Money. How did the hackers pull it off? Read the full story.