The hack was allegedly caused by “a missing onlyMigrator check.”
TempleDAO, a yield-farming decentralized finance (DeFi) protocol, lost over $2.34 million to a hack on Oct. 11.
The exploit was announced by Twitter user Spreek, who shared that the DeFi platform had been hacked, along with a snapshot of how the stolen funds had been moved.
.@templedao exploited for $2m it seems pic.twitter.com/k0nBLSoxnx
— Spreek (@spreekaway) October 11, 2022
Blockchain security companies BlockSec and PeckShield confirmed in a series of tweets that the exploit had indeed occurred. BlockSec shared that the root cause of the attack was “insufficient access to control to the migrateStake function.”
TempleDao @templedao has been attacked. The root cause is the insufficient access control to the migrateStake function.https://t.co/eUwSMkZrEt pic.twitter.com/zXBUwzQ2Oy
— BlockSec (@BlockSecTeam) October 11, 2022
PeckShield claimed that the exploiter funded from Simpleswap and transferred 1,831 Ether ETH ($2.34 million) to a new address.
#PeckShieldAlert Seems like @templedao got exploited. The exploiter funded from SimpleSwap and already transferred 1,831 $ETH (~$2.34M) to a new address 0x2B63d...B5A0 @peckshield https://t.co/bOyOARyyxY pic.twitter.com/SVEm8o95U6
— PeckShieldAlert (@PeckShieldAlert) October 11, 2022
Stax, a decentralized application powered by TempleDAO, stated in a tweet:
“A total of 321,154 xLP tokens were taken from the xLP Staking contract at 13:08 UTC time. These tokens were swapped for precisely 1,418,303 $TEMPLE and 1,262,438 $FRAX. 1,418,303 $TEMPLE were sold for FRAX.”
Stax suggested that only one agent was responsible for the hack, which was allegedly caused by “a missing onlyMigrator check,” confirming BlockSec’s tweets. In the meantime, Stax cautioned users against further deposits into STAX contracts until remediations were made, saying:
“The dApp has been taken down to avoid accidental usage. This is now under control and the exploiter can do no further harm. Remediations will be made for all affected users.”
TempleDAO is now working with Binance to investigate, as the exploiter’s address was linked to a Binance account. Stax said:
“We are following up with Binance and will initialize a white hat bounty for the exploiter. We are increasing our existing bounty with Hats Finance and establishing secure communications if the hacker chooses to return funds and receive a legal bounty. Details to come.”
Prior to the exploit, the total value locked in TempleDAO’s protocol was about $57 million, according to DefiLlama. The exploit amounted to an estimated 4% of the protocol’s holdings.