Hackers strike again this week, this time at the expense of an available exploit within Temple DAO’s code. Temple’s “STAX Finance” protocol, which provided a liquidity pool of TEMPLE and FRAX tokens was exploited early Tuesday, resulting in $2.3M worth of tokens seized by the hacker.
Let’s look at what we know in the early hours of the exploit.
Down Goes The Temple
The protocol suffered a vulnerability in the staking ‘migrateStake’ function, according to blockchain auditors Paladin. The exploit was first called out by Spreek on Twitter. Arguably the most bizarre part of the whole thing is that the funds were likely available for the taking for some time. According to reputable dev 0xfoobar, the funds were “available on chain for months,” leaving quite a bit to be desired from all parties involved.
Temple DAO was seemingly unaudited, as the smart contract code here did not fit the bill of a multi-million dollar liquidity pool; as the aforementioned resources call out, the exploit was surprisingly easy. The exploiter simply used an old staking call code and a fake address to withdraw the LP funds. The vulnerability was available to be taken advantage of for several months.
The Temple DAO's exploiter swapped LP tokens for ETH funds on their way out. | Source: ETH-USD on TradingView.com
The Exploits Continue
Sleuths have already discovered that the exploiter’s wallet was funded from a Binance wallet, so it’s quite possible that Binance looks into tracking down that wallet (STAX has advised that they are “following up with Binance and will initialize a white hat bounty for the exploiter”). Otherwise, this recent exploit is just another one to bite the dust, unfortunately.
Nonetheless, it’s far from the ‘nail in the coffin’ for the lesser-known Temple DAO. According to DefiLlama, the DAO has a total value locked (TVL) just shy of $60M – so it should live to see another day.
Featured image from Pixabay, Charts from TradingView.com The writer of this content is not associated or affiliated with any of the parties mentioned in this article. This is not financial advice.
This op-ed represents the views of the author, and may not necessarily reflect the views of Bitcoinist. Bitcoinist is an advocate of creative and financial freedom alike.
Source: https://bitcoinist.com/temple-dao-exploited-for-2m/