The hack was allegedly caused by “a missing onlyMigrator check.”
TempleDAO, a yield-farming Decentralized Finance (DeFi) protocol, lost over $2.34M to a hack on Oct 11.
The exploit was announced by twitter account holder @spreekaway, who shared that the Defi platform had been hacked, along with a snapshot of how the stolen funds had been moved.
.@templedao exploited for $2m it seems pic.twitter.com/k0nBLSoxnx
— Spreek (@spreekaway) October 11, 2022
Blockchain Security companies Blocksec and Pecksheild confirmed in a series of tweets that the exploit had indeed occurred. Blocksec shared that the root cause of the attack was “insufficient access to control to the migrateStake function.”
TempleDao @templedao has been attacked. The root cause is the insufficient access control to the migrateStake function.https://t.co/eUwSMkZrEt pic.twitter.com/zXBUwzQ2Oy
— BlockSec (@BlockSecTeam) October 11, 2022
While Peckseild claimed that the exploiter funded from Simpleswap had transferred 1,831ETH ($2.34M) to a new address.
#PeckShieldAlert Seems like @templedao got exploited. The exploiter funded from SimpleSwap and already transferred 1,831 $ETH (~$2.34M) to a new address 0x2B63d…B5A0 @peckshield https://t.co/bOyOARyyxY pic.twitter.com/SVEm8o95U6
— PeckShieldAlert (@PeckShieldAlert) October 11, 2022
Staxfinance, a decentralized app (dAPP) powered by TempleDAO, stated in a series of tweets that:
“A total of 321,154 xLP tokens were taken from the xLP Staking contract at 13:08 UTC time. These tokens were swapped for precisely 1,418,303 $TEMPLE and 1,262,438 $FRAX. 1,418,303 $TEMPLE were sold for FRAX.”
The account suggested that only one agent was responsible for the hack, which had allegedly been caused by “a missing onlyMigrator check”, confirming Blocksec’s tweets. In the meantime, the account cautioned users against further deposits into STAX contracts until remediations were made, saying:
“The dApp has been taken down to avoid accidental usage. This is now under control and the exploiter can do no further harm. Remediations will be made for all affected users.”
An investigation is now taking place between Binance and TempleDAO since the exploiter’s address was linked to a Binance account. The TempleDAO-powered dApp account said:
“We are following up with Binance and will initialize a white hat bounty for the exploiter. We are increasing our existing bounty with Hats Finance and establishing secure communications if the hacker chooses to return funds and receive a legal bounty. Details to come.”
Prior to the exploit, DeFiLlama reported that the total value locked in TempleDAO’s protocol was about $57 million. The exploit amounted to an estimated 4% of the protocol’s holdings.
On Oct 6, Cointelegraph reported that the BNB Chain, the blockchain of crypto exchange Binance, had been paused due to an exploit on its cross-chain bridge, where attackers made off with an estimated $100 million worth of cryptocurrency.