Hacker steals $2.3 million from TempleDAO

DeFi • October 11, 2022, 2:09PM EDT
The Block

Quick Take

  • TempleDAO suffered an exploit this morning for roughly $2.3 million worth of crypto tokens.
  • The project claimed it would make “remediations” for all affected users.

TempleDAO, a protocol that claims it provides sustainable income via staking, suffered a malicious exploit this morning on one of its staking vaults for 1,830 ETH, roughly $2.3 million at the time, according to data from Etherscan.

A TempleDAO contributor said in the project's Discord channel that its CORE vaults, which hold over $100 million in stablecoins, are unaffected and “the exploiter can do no further harm."

"Remediations will be made for all affected users," the contributor wrote.

Data from Etherscan shows a withdrawal from the project’s STAX staking vault took place at roughly 9:11 a.m. EST on Oct. 11. The withdrawal was “precisely 1,418,303 TEMPLE and 1,362,438 FRAX”, according to an announcement made in the TempleDAO Discord.

The TEMPLE tokens were sold for the stablecoin FRAX. The address involved has been linked to a Binance account, which provided the initial funds to the exploiting wallet address. It received 1.1 ETH about an hour and a half before the exploit occurred.

Smart contract and cross-chain bridge vulnerabilities have been a source of significant concern in light of multiple code exploits over the past year. A hacker recently stole $2 million from the WANplatform cross-chain bridge.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

The TempleDAO hack is related to a non-bridge related smart contract exploit, blockchain security firm Paladin tweeted.

This exploit was due to “several malpractices” in one of the staking functions, which allowed users to migrate staked tokens from an older contract. The exploiter called this specific function with a fake address, giving them access to withdraw all the funds from the vault to themselves instead of the new contract.

The exploit is “one of the most trivial exploits at scale in awhile,” Paladin wrote. The exploited contract was deployed over 100 days ago, and the vulnerability has been present since its deployment.

The TempleDAO token briefly dropped 20% after the staking vault theft. This market drop occurred when the exploiter swapped TEMPLE for FRAX, which was the most liquid pool (lowest slippage), according to Dexscreener.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Mike is a reporter on the crypto ecosystems team who specializes in zero-knowledge proofs and applications. Prior to joining The Block, Mike worked with Circle, Blocknative, and various DeFi protocols on growth and strategy.