The decentralized finance ecosystem suffered another blow on March 30, 2025, as Ethereum-based DeFi protocol SIR.trading fell victim to a sophisticated hack that wiped out its entire total value locked (TVL) of approximately $355,000. The attack, which security researchers describe as one of the first known exploits targeting Ethereum’s relatively new transient storage feature, raises fresh concerns about the security implications of nascent blockchain technologies.
TL;DR
- SIR.trading lost its entire TVL of $355,000 in a hack on March 30, 2025
- The attacker exploited a vulnerability in the protocol’s Vault contract linked to Ethereum’s transient storage feature
- Security firms TenArmorAlert and Decurity first detected and reported the exploit
- Stolen funds were routed through Ethereum privacy solution Railgun
- The protocol’s founder pledged to keep the project alive despite the devastating loss
How the Attack Unfolded
The exploit was first flagged by blockchain security firms TenArmorAlert and Decurity, both of which posted urgent warnings on social media to alert users of the protocol. According to Decurity’s detailed analysis, the attack was executed through a sophisticated manipulation of a callback function in SIR.trading’s vulnerable Vault contract.
The Vault contract relied on Ethereum’s transient storage feature — a mechanism introduced in last year’s Dencun upgrade that allows for temporary data storage at lower gas costs than regular storage. The attacker was able to exploit this feature by substituting the real Uniswap pool address used in the callback function with an address under their own control. This substitution enabled them to redirect the vault’s funds into their wallet. By repeatedly triggering the callback function, the attacker systematically drained the protocol’s entire TVL.
Security firm TenArmorAlert confirmed that the stolen funds were subsequently deposited into an address funded through Ethereum’s privacy solution Railgun, making recovery efforts significantly more challenging. SIR.trading’s pseudonymous founder, known as Xatarrer, has reached out to Railgun in an effort to track or potentially recover the stolen assets.
A New Class of Vulnerability
What makes this hack particularly noteworthy is its exploitation of Ethereum’s transient storage — a feature that security researchers say is still in its early days and has not been thoroughly stress-tested at scale. SupLabsYi, a researcher from blockchain security firm Supremacy, provided additional technical analysis, stating that the attack may point to a broader security concern with transient storage as a whole.
“This isn’t merely a threat aimed at a single instance of uniswapV3SwapCallback,” SupLabsYi explained, suggesting that other protocols utilizing similar transient storage patterns could be exposed to comparable risks. Transient storage was added to Ethereum with the Dencun upgrade to reduce gas fees for temporary data operations, but its novelty means the developer community is still learning about its edge cases and potential pitfalls.
Decurity described the attack as a “clever” exploitation of the callback mechanism, highlighting how even audited smart contracts can harbor vulnerabilities when they interact with newer blockchain features. The incident serves as a stark reminder that security audits, while essential, cannot guarantee complete protection — particularly when protocols incorporate cutting-edge technology.
Protocol Founder Vows to Continue
In an emotional response to the hack, SIR.trading’s founder Xatarrer described the incident as “the worst news a protocol could receive” but expressed determination to keep the project alive despite the setback. The protocol, also known as Synthetics Implemented Right, was designed as a platform for safer leveraged trading, specifically addressing challenges such as volatility decay and liquidation risks.
Ironically, SIR.trading’s own documentation had previously warned users about the potential for undiscovered bugs. The project’s risk disclosure specifically highlighted that despite undergoing audits, its smart contracts could still contain flaws leading to financial losses. The documentation pointed to the complex logic in vault mechanics and leverage calculations as areas where audits might fail to catch rare but critical vulnerabilities.
Broader Context: A Year of DeFi Exploits
The SIR.trading hack adds to a growing list of DeFi security incidents in early 2025. The crypto space is still reeling from the massive $1.4 billion Bybit exchange hack in February, which was attributed to North Korea’s Lazarus Group — one of the largest crypto thefts in history. In parallel, cybersecurity firm Threat Fabric uncovered a new Android malware called Crocodilus designed to steal cryptocurrency wallet seed phrases through fake overlay screens and social engineering tactics.
These incidents underscore the multifaceted security challenges facing the DeFi ecosystem. While smart contract vulnerabilities represent one vector of attack, the broader threat landscape includes exchange breaches, social engineering, and now potentially fundamental issues with blockchain protocol features themselves.
Implications for Transient Storage Adoption
The SIR.trading exploit may have ripple effects across the Ethereum development community. Transient storage was heralded as a significant efficiency improvement when it debuted with the Dencun upgrade, promising lower gas costs for temporary data operations. However, the attack demonstrates that new features — no matter how beneficial — introduce fresh attack surfaces that may take time to fully understand and secure.
Developers building on Ethereum will likely need to exercise additional caution when implementing transient storage in their smart contracts, particularly in high-value DeFi applications where the financial stakes are significant. Security firms may also need to update their audit frameworks to specifically address transient storage-related risks, ensuring that callback functions and similar mechanisms are properly protected against manipulation.
Why This Matters
The SIR.trading hack is a wake-up call for the entire DeFi ecosystem. As Ethereum continues to evolve with new technical features like transient storage, the security landscape is shifting faster than traditional audit methodologies can keep pace. This incident demonstrates that innovation and security exist in constant tension — and that protocols leveraging cutting-edge blockchain features must invest in specialized security assessments that go beyond standard audit practices. For DeFi users, it reinforces the fundamental truth that even audited, well-intentioned protocols can fail catastrophically, and that diversification and risk management remain essential in the decentralized finance space.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Cryptocurrency investments carry significant risk, and past performance is not indicative of future results. Always conduct your own research before making investment decisions.
transient storage was supposed to save gas costs, not become an attack vector. substituting the uniswap pool address is such a simple exploit once you see it
355K is small potatoes but the fact that they used railgun to wash the funds means this person knew exactly what they were doing. expect copycats
the founder pledging to keep the project alive after losing 100% of TVL is either admirable or delusional. probably both