On October 11, an unknown person took advantage of an error in the smart contract of the TempleDAO DeFi project and stole 1831 ETH (~$2.3 million) in one of the staking vaults. The team promised to return the funds to the users affected by the attack.
In a series of transactions, the attacker withdrew a total of 321,154 xLP tokens, exchanging them for 1,262,438 FRAX and 1,418,303 TEMPLE. Later, he converted the last asset into FRAX.
The reason for the exploit was “several abuses” in the migrateStake function. It allows users to transfer hosted tokens from an older contract. The attacker called a function with a fake address, granting access to withdraw all funds from the vault to his wallet instead of a new contract.
“The exploit is one of the most trivial at scale in recent times. […] The contract was deployed more than 100 days ago with a vulnerability that was exploited only now,” Paladin said in a statement.
The operations were performed from an account registered on Binance. Representatives of the project contacted the security service of the exchange.
The developers recommended to refrain from depositing funds into STAX contracts.
The team promised a reward to the hacker in case they returned the stolen funds.
Other project repositories are not affected and are safe. According to DeFi Llama, the volume of blocked funds in TempleDAO is $109.8 million.
Recall that on October 11, an unknown person withdrew more than $ 1 million from the QANplatform blockchain platform.
Earlier, experts of the Immunefi bounty platform estimated the losses of the Web3 ecosystem from hacking and fraud in the third quarter of 2022 at $428.7 million.
Of the total figure, hacker attacks accounted for $399 million. Most of the losses are related to two incidents — with the Nmad cross-chain protocol ($190 million) and the Wintermute market maker ($160 million).
Read Bitcoin-ForkLog news in our Telegram — cryptocurrency news, courses and analytics.