According to data from Etherscan, this morning a malicious exploit on one of TempleDAO’s staking vaults stole 1,830 ETH, or about $2.3 million at the time. TempleDAO is a protocol that promises to provide sustainable income via staking.
The TempleDAO CORE vaults, which store more than $100 million in stablecoins, are safe, a contributor said in the project’s Discord channel, and “the exploiter can do no further harm.”
All affected users will be provided with “remediations,” the contributor wrote.
The Etherscan blockchain explorer shows that at around 9:11 AM EDT on October 11, someone withdrew funds from the project’s STAX staking vault. Announcing the withdrawal in the TempleDAO Discord, the team stated that “exactly 1,418,303 TEMPLE and 1,362,438 FRAX” were sent out.
When purchased with the stable cryptocurrency FRAX, TEMPLE tokens can be used to enter the Temple. An associated Binance account sent the exploiting wallet address’s initial funding. It was given 1.1 ETH about an hour and a half before the exploit took place.
Multiple code exploits over the past year have raised serious concerns about the security of smart contracts and cross-chain bridges. Two million dollars were taken from the WANplatform cross-chain bridge by a hacker not too long ago.
According to a tweet by blockchain security firm Paladin, the exploit used in the TempleDAO hack was not related to a bridge vulnerability in the smart contract.
Users were able to take advantage of this vulnerability because of “several malpractices” in a staking function that allowed them to move staked tokens from an earlier contract. The attacker used a spoofed address to trigger this function, allowing them to siphon off the vault’s contents in favor of themselves rather than the new contract.
Among “the most trivial exploits at scale in a while,” Paladin called it. The exploited contract went live more than a hundred days ago, and the flaw has been there ever since.
For a short time after the staking vault theft, the TempleDAO token dropped in value by 20% for a short time. The exploiter caused this market drop by trading TEMPLE for FRAX, the most liquid pool (lowest slippage) at the time, as shown by Dexscreener.