Volt Inu ($VOLT) recorded a new market pump as the team made several new announcements regarding its ecosystem development. As a result, the token has seen a surge in activity on exchanges, reaching the top trends on Twitter and many of the 100+ exchanges they are listed on. The team's latest announcements add a new dimension to the VOLT ecosystem with developments like Voltiflex and rumors about an upcoming burn worth $10,000,000+ at least. The market reacted positively to the…
Earlier today, yield farming platform TempleDAO suffered losses scaling $2 million after a hacker breached the protocol. This attack is the latest in a series of exploits across the DeFi industry over the past few weeks.
Almost 2000 ETH Stolen
Twitter user spreekaway first caught sight of the attack via on-chain data which they shared in a tweet. Blockchain security company Peckshield later confirmed the news on their Twitter page. According to the firm’s report, the attacker funded the exploit from SimpleSwap.
Peckshield noted that the culprit was able to send 1,831 ETH, about $2.34M to a separate crypto wallet. Another blockchain analysis firm, BlockSec weighed in on the matter soon after. The firm’s post identified the hacker’s point of entry as insufficient access control to the staking function “migrateStake.”
CertiK also chimed in to explain that the function in question failed to confirm if the input oldStaking was expected.
As a result, attackers can forge oldStaking contracts to arbitrarily add balances.”
Attacker Exploits Opening in Staking Contract
Analysts spotted the vulnerability in the xLPtaking contract for Temple’s STAX Finance protocol. STAX is a liquidity layer of Temple and FRAX tokens. The platform shared an update on the exploit which TempleDAO later reposted.
STAX Finance’s post stated that the hacker had made off with 321,154 xLP tokens from the vulnerable staking contract. They then converted the funds to 1,418,303 $TEMPLE tokens and 1,262,438 $FRAX lantern swapping TEMPLE tokens for FRAX.
The STAX thread clarified that there was indeed an absent onlyMigrator check. In the post, the team warned users to avoid making deposits to STAX contracts until they had resolved the issue. They also took down the dApp to ensure users didn’t accidentally use it.
TempleDAO revealed that they were working with Binance and had plans to roll out a white hat bounty for the attacker.
We are increasing our existing bounty with Hats Finance and establishing secure communications if the hacker chooses to return funds and receive a legal bounty,” said the post.
TempleDAO Joins the List of Exploited DeFi Platforms
Well-known developer 0xfoobar also spoke about the hack on Twitter, describing it as the “sorriest” they had ever seen. According to the dev, the gap in the code had been there for months meaning the attack could have occurred a lot sooner.
this TEMPLE hack has to be the sorriest one I’ve seen yet. $2m gone, was available onchain for months, they put no access control modifiers on a “migrateWithdraw” function that lets you specify an arbitrary address pic.twitter.com/usF96Jcr21
— foobar (@0xfoobar) October 11, 2022
I’m ashamed of both the dev team and the exploiters,” 0xfoobar said.
They then added that the vulnerability shouldn’t have gone unnoticed for so long by either the team or the hacker.
Over the past weeks, the DeFi space has suffered a string of exploits. Among the most recent are Transit Swap and Wintermute, the platforms experienced a combined loss of almost $200M. Binance’s BNB chain was a target just last week, the hacker was able to withdraw $570M but could only cart off $110 million.