Hacker Steals Over $2M From DeFi Platform TempleDAO

Earlier today, yield farming platform TempleDAO suffered losses scaling $2 million after a hacker breached the protocol. This attack is the latest in a series of exploits across the DeFi industry over the past few weeks. 

Almost 2000 ETH Stolen

Twitter user spreekaway first caught sight of the attack via on-chain data which they shared in a tweet. Blockchain security company Peckshield later confirmed the news on their Twitter page. According to the firm’s report, the attacker funded the exploit from SimpleSwap. 

Peckshield noted that the culprit was able to send 1,831 ETH, about $2.34M to a separate crypto wallet. Another blockchain analysis firm, BlockSec weighed in on the matter soon after. The firm’s post identified the hacker’s point of entry as insufficient access control to the staking function “migrateStake.” 

CertiK also chimed in to explain that the function in question failed to confirm if the input oldStaking was expected. 

As a result, attackers can forge oldStaking contracts to arbitrarily add balances.”

Attacker Exploits Opening in Staking Contract

Analysts spotted the vulnerability in the xLPtaking contract for Temple’s STAX Finance protocol. STAX is a liquidity layer of Temple and FRAX tokens. The platform shared an update on the exploit which TempleDAO later reposted. 

STAX Finance’s post stated that the hacker had made off with 321,154 xLP tokens from the vulnerable staking contract. They then converted the funds to 1,418,303 $TEMPLE tokens and 1,262,438 $FRAX lantern  swapping TEMPLE tokens for FRAX.

The STAX thread clarified that there was indeed an absent onlyMigrator check. In the post, the team warned users to avoid making deposits to STAX contracts until they had resolved the issue. They also took down the dApp to ensure users didn’t accidentally use it. 

TempleDAO revealed that they were working with Binance and had plans to roll out a white hat bounty for the attacker. 

We are increasing our existing bounty with Hats Finance and establishing secure communications if the hacker chooses to return funds and receive a legal bounty,” said the post. 

TempleDAO Joins the List of Exploited DeFi Platforms

Well-known developer 0xfoobar also spoke about the hack on Twitter, describing it as the “sorriest” they had ever seen. According to the dev, the gap in the code had been there for months meaning the attack could have occurred a lot sooner. 

I’m ashamed of both the dev team and the exploiters,” 0xfoobar said.

They then added that the vulnerability shouldn’t have gone unnoticed for so long by either the team or the hacker. 

Ethereum live price
price change

Over the past weeks, the DeFi space has suffered a string of exploits. Among the most recent are Transit Swap and Wintermute, the platforms experienced a combined loss of almost $200M. Binance’s BNB chain was a target just last week, the hacker was able to withdraw $570M but could only cart off $110 million.

Stay up to date with our latest articles