On October 11, an unidentified individual obtained 1,831 ETH (about $2.3 million) from one of the staking vaults by abusing a flaw in the TempleDAO DeFi project smart contract. The team pledged to reimburse users who were harmed by the hack.
The attacker withdrew a total of 321,154 xLP tokens in a series of transactions, swapping them for 1,262,438 FRAX and 1,418,303 TEMPLE. He later changed the final asset into FRAX.
"Several incidents of misuse" in the migrateStake function were the root cause of the exploit. Users may move staked tokens from an earlier contract using this method. By using a bogus address to contact the function, the attacker was able to enter the vault and extract all of the money without creating a new contract.
"The exploit is among the smallest-scale ones in recent memory. [...] The contract had a weakness when it was launched more than 100 days ago, according to a statement from Paladin. Operations were carried out using a Binance-registered account. Project representatives get in touch with the exchange's security service.
The creators advised against making deposits into STAX contracts.
If the hacker gave back the stolen money, the team would pay a reward.
Different project repositories are secure and unaffected. DeFi Llama claims TempleDAO has $109.8 million set aside.
Remember how on October 11th, an unidentified user withdrew more than $1,000,000 from the blockchain network QANplatform?
The cost to the Web3 ecosystem from fraud and attacks was previously projected by Immunefi bounty platform specialists to be $428.7 million for the third quarter of 2022.
Hacker assaults contributed $399 million of the total. The Wintermute market maker ($160 million) and the Nomad cross-chain protocol ($190 million) account for the majority of the losses.