On January 4, 2025, the Sorra Finance staking protocol fell victim to a smart contract exploit that siphoned approximately $41,000 worth of tokens from its platform. The attack targeted a fundamental flaw in the reward distribution mechanism, exposing how even seemingly minor logic errors in DeFi contracts can lead to significant financial losses. With Bitcoin trading around $98,200 and Ethereum near $3,650 at the time, the broader crypto market remained bullish, making the exploit a stark reminder that security vigilance is non-negotiable regardless of market conditions.
The Exploit Mechanics
The attacker began preparation on December 21, 2024, depositing 122,868 SOR tokens into the Sorra staking contract and selecting a 14-day lockup period (tier 0). Once the lockup expired on January 4, the attacker executed a series of repeated withdrawals that exploited a critical vulnerability in the getPendingRewards() function. This function was designed to calculate pending rewards for users, but it failed to properly account for rewards that had already been distributed. Specifically, the function did not deduct userRewardsDistributed[_msgSender()] from its calculations, meaning the same reward amount of 6,143 SOR tokens could be claimed over and over again.
By calling the withdraw() function repeatedly with minimal amounts (as low as 1 wei), the attacker was able to claim fresh rewards each time without the system recording that those rewards had already been paid out. Through approximately 500 repeated calls, the attacker accumulated 3,071,721 SOR tokens before swapping them on UniswapV2 for roughly $41,000 in profit.
Affected Systems
The vulnerability was confined to the Sorra staking contract deployed at address 0x5d16b8ba2a9a4eca6126635a6ffbf05b52727d50 on the Ethereum network. The attacker used two separate contract addresses to orchestrate the exploit: 0xFa3925 and 0xB575b, with the primary attack transaction originating from address 0xdc8076. The lockup tier system itself functioned correctly — tier 0 at 14 days, tier 1 at 30 days, and tier 2 at 60 days all enforced their waiting periods as designed. The failure was isolated to the reward accounting logic within the withdrawal flow.
The Mitigation Strategy
Preventing this type of exploit requires implementing proper state tracking in reward distribution functions. The contract should deduct already-distributed rewards from the pending calculation, ensuring each unit of reward can only be claimed once. Additionally, a reentrancy guard or withdrawal limit per transaction would have made the repeated-call strategy impractical. Protocols deploying staking contracts should undergo comprehensive audits that specifically test edge cases in reward accrual and withdrawal logic. The Sorra exploit underscores the importance of not just auditing individual functions but testing the interaction between deposit, reward calculation, and withdrawal as a complete system.
Lessons Learned
Several key takeaways emerge from this incident. First, lockup periods and tier systems provide no protection against logic flaws in the reward mechanism itself. Second, the attack required only a modest initial deposit ($41,000 worth of SOR tokens was the profit, but the initial stake was far smaller), demonstrating that attackers do not need significant capital to exploit reward calculation bugs. Third, the 14-day preparation window suggests the attacker had thoroughly analyzed the contract code before acting, highlighting the need for proactive security reviews rather than reactive patching.
User Action Required
Users who interacted with the Sorra staking contract should immediately check their token balances and review any pending transactions. If you staked SOR tokens, monitor the official Sorra channels for updates on remediation or compensation plans. More broadly, before staking in any DeFi protocol, verify that the contract has been audited by a reputable security firm, and be cautious with protocols that offer unusually high staking rewards without transparent security documentation. Always use hardware wallets for large holdings and never approve unlimited token allowances unless you fully understand the associated risks.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.
DeFi insurance protocols are maturing — that’s a bullish sign
Permissionless lending is still the most powerful use case in crypto
Smart contract audits have improved dramatically since 2022
audits didnt catch this because the bug was in business logic not a reentrancy or overflow. static analysis tools miss reward calculation errors almost every time
static_analysis_ nailed it. auditors catch reentrancy all day but nobody writes tests for double claiming rewards. seen this bug pattern three times now
static_analysis_ nailed it. every audit tool catches reentrancy but nobody tests reward math for double claiming. seen this exact pattern three times now
122,868 SOR tokens staked for 14 days just to drain $41k. the ROI on that exploit prep was basically minimum wage lol
The composability of DeFi is something TradFi can never replicate
DeFi TVL recovery shows the fundamentals are stronger than ever
tvl recovery means nothing when a $41k exploit happened because getPendingRewards didnt check distributed amounts. basic accounting logic that somehow passed review
getPendingRewards not deducting already distributed amounts is such a basic accounting error. how does that pass review
the attacker prepped for 14 days before exploiting. deposited 122k SOR tokens on dec 21 and just waited for the lockup to expire
this is why I read BitcoinsNews. actual substance instead of recycled narratives. the original research angle is refreshing