TempleDAO, a protocol that claims it provides sustainable income via staking, suffered a malicious exploit this morning on one of its Staking vaults for 1,830 ETH, roughly $2.3 million at the time, according to data from Etherscan.
A TempleDAO contributor said in the project’s Discord channel that its CORE vaults, which hold over $100 million in stablecoins, are unaffected and “the exploiter can do no further harm.”
“Remediations will be made for all affected users,” the contributor wrote.
Data from Etherscan shows a withdrawal from the project’s STAX staking vault took place at roughly 9:11 a.m. EST on Oct. 11. The withdrawal was “precisely 1,418,303 TEMPLE and 1,362,438 FRAX”, according to an announcement made in the TempleDAO Discord.
The TEMPLE tokens were sold for the stablecoin FRAX. The address involved has been linked to a Binance account, which provided the initial funds to the exploiting wallet address. It received 1.1 ETH about an hour and a half before the exploit occurred.
Smart contract and cross-chain bridge vulnerabilities have been a source of significant concern in light of multiple code exploits over the past year. A hacker recently stole $2 million from the WANplatform cross-chain bridge.
The TempleDAO hack is related to a non-bridge related Smart contract exploit, blockchain security firm Paladin tweeted.
This exploit was due to “several malpractices” in one of the staking functions, which allowed users to migrate staked tokens from an older contract. The exploiter called this specific function with a fake address, giving them access to withdraw all the funds from the vault to themselves instead of the new contract.
The exploit is “one of the most trivial exploits at scale in awhile,” Paladin wrote. The exploited contract was deployed over 100 days ago, and the vulnerability has been present since its deployment.
The TempleDAO token briefly dropped 20% after the staking vault theft. This market drop occurred when the exploiter swapped TEMPLE for FRAX, which was the most liquid pool (lowest slippage), according to Dexscreener.
Source: theblock.co
>>> Related: Hacker drains $1 million from QANplatform bridge, token slumps 94%