Verify a decision

{"actor":"system:backfill","investigation_id":"ec1b71e2-3ef9-41a8-8b3a-c9c84f52f244","kind":"publish","page_slug":"sir-trading","published_at":"2026-06-01T17:49:24.769Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"SIR.trading","sections":[{"content":"SIR.trading (Synthetics Implemented Right) describes itself as a DeFi protocol for 'safer leverage' on Ethereum, marketed under the tagline 'Leverage You Can Sleep On.' The protocol's core design goals centered on eliminating common risks associated with leveraged trading: no liquidation risk (leveraged tokens can depreciate but not be liquidated), no volatility decay, and a one-time fee structure that charges fees only at minting and burning rather than ongoing funding rates. The system uses a permissionless vault model inspired by Uniswap, where any user can create a vault parameterized by a collateral token (COL), a debt token (DBT), and a leverage ratio. Two user archetypes are defined: 'gentlemen' (liquidity providers) and 'apes' (leveraged traders). SIR's documentation emphasized 'maximally trustless' operation through non-upgradable smart contracts and immutable parameters. The protocol also explicitly warned that despite audits, undiscovered bugs in vault mechanics could lead to fund loss — a caveat that proved prescient.","heading":"Protocol Overview and Design Philosophy","severity":"low","sources":[{"credibility":1,"name":"SIR Official Documentation — Introducing SIR","type":"official","url":"https://docs.sir.trading"},{"credibility":1,"name":"SIR Official Documentation — User Risks","type":"official","url":"https://docs.sir.trading/protocol-overview/user-risks"},{"credibility":1,"name":"SIR Trading — Official Website","type":"official","url":"https://www.sir.trading/"}]},{"content":"On March 30, 2025, an attacker drained the protocol's entire TVL of approximately $355,000 in USDC, wBTC, and wETH from SIR's Vault contract. The exploit is considered one of the first documented real-world attacks exploiting Ethereum's EIP-1153 transient storage feature, introduced in the Dencun hard fork of March 2024. The root cause was a transient storage slot collision in the Vault contract's uniswapV3SwapCallback function. The Vault stored a legitimate Uniswap V3 pool address in transient storage slot 0x01 during execution of the mint() function for caller verification purposes; however, the same slot was subsequently overwritten with the minted token amount at the end of the callback — leaving stale numeric data in the slot where an address was expected. The attacker exploited this collision by brute-forcing a CREATE2 vanity address whose numeric value matched the precise overwritten mint amount (95,759,995,883,742,311,247,042,417,521,410,689). By deploying a malicious contract to that precomputed address, the attacker passed the pool-address verification check and repeatedly invoked uniswapV3SwapCallback to siphon all collateral. The attacker's preparation began on January 30, 2025, when they deployed dummy ERC-20 tokens and created a controlled Uniswap V3 pool to initialize the vault. Stolen assets were converted to wETH and routed through Railgun, an Ethereum privacy protocol, within minutes of the exploit. The attacker address is 0x27defcfa6498f957918f407ed8a58eba2884768c; the vulnerable Vault contract is 0xb91ae2c8365fd45030aba84a4666c4db074e53e7.","heading":"March 2025 Exploit: Transient Storage Vulnerability","severity":"critical","sources":[{"credibility":2,"name":"Blockscope Research — SIR Protocol Exploit: Analyzing the Transient Storage Vulnerability","type":"news","url":"https://research.blockscope.co/sir-protocol-exploit/"},{"credibility":2,"name":"DeFiHackLabs — SIR Exploit ~355k loss Vulnerability Analysis","type":"news","url":"https://defihacklabs.substack.com/p/sir-exploit-355k-loss-vulnerability"},{"credibility":1,"name":"CoinTelegraph — DeFi protocol SIR.trading loses entire $355K TVL in 'worst news' possible","type":"news","url":"https://cointelegraph.com/news/defi-protocol-sir-trading-loses-entire-355-k-tvl-exploit"},{"credibility":2,"name":"Rekt News — SIR Trading Rekt","type":"news","url":"https://rekt.news/sirtrading-rekt"},{"credibility":2,"name":"Crypto.news — DeFi protocol SIR.trading loses entire $355K TVL following exploit","type":"news","url":"https://crypto.news/defi-protocol-sir-trading-loses-entire-355k-tvl-following-exploit/"}]},{"content":"Prior to the exploit, SIR.trading had undergone a single security audit conducted by Egis Security in January–February 2025. The audit identified 3 high-severity, 2 medium-severity, and 2 low-severity issues. However, the vulnerability exploited on March 30 — the transient storage slot collision in the uniswapV3SwapCallback function — was not identified or remediated. Founder Xatarrer publicly acknowledged the constraint: 'We raised around $70k from folks in here which allowed us to do 1 audit which unfortunately wasn't enough.' The team's limited budget — approximately $70,000 raised from community supporters without venture capital — meant the protocol could not afford multiple independent reviews. Security researchers noted that coverage of Ethereum's transient storage (EIP-1153) was a novel audit surface at the time, as the feature was only introduced in the Dencun upgrade approximately one year prior. Following the exploit and subsequent relaunch, the protocol's documentation states it underwent four independent security audits before returning to production.","heading":"Audit History and Security Limitations","severity":"high","sources":[{"credibility":2,"name":"Rekt News — SIR Trading Rekt (audit history)","type":"news","url":"https://rekt.news/sirtrading-rekt"},{"credibility":2,"name":"GitHub — Egis-Security Audits Portfolio","type":"official","url":"https://github.com/Egis-Security/audits"},{"credibility":2,"name":"Blockscope Research — SIR Protocol Exploit Analysis","type":"news","url":"https://research.blockscope.co/sir-protocol-exploit/"},{"credibility":1,"name":"SIR Official Documentation — User Risks (post-relaunch audit disclosure)","type":"official","url":"https://docs.sir.trading/protocol-overview/user-risks"}]},{"content":"The exploit was detected on March 30, 2025, by blockchain security monitoring services TenArmorAlert and Decurity. Pseudonymous founder Xatarrer described the event as 'the worst news a protocol can receive' and issued an emotional statement: 'I just came back asap from my kid's training. I am in shock. Sorry to everyone. Investors, believers… I poured 4 years of my life.' On March 31, 2025, Xatarrer published an on-chain message to the attacker offering $100,000 — approximately 28% of the stolen amount — as compensation for discovering the critical vulnerability, requesting the return of the remaining approximately $255,000, and pledging no legal action would be taken. The team also publicly stated that without recovery of the majority of funds, 'there is no chance for us to survive.' The attacker did not respond and did not return any funds. The stolen assets had already been moved through Railgun, substantially complicating any on-chain tracing or recovery effort. Despite losing most of its operating capital, the team subsequently announced plans to relaunch, seeking auditors willing to accept token equity in lieu of cash payment. The protocol relaunched at app.sir.trading following completion of additional security audits, though no timeline for the relaunch has been independently verified in the sources reviewed.","heading":"Team Response and Recovery Attempts","severity":"high","sources":[{"credibility":2,"name":"Rekt News — SIR Trading Rekt (team response)","type":"news","url":"https://rekt.news/sirtrading-rekt"},{"credibility":1,"name":"CoinTelegraph — SIR.trading begs hacker to return $255K or 'no chance for us to survive'","type":"news","url":"https://cointelegraph.com/news/sir-trading-founder-begs-hacker-return-funds-or-wont-survive"},{"credibility":2,"name":"Bitget News — SIR.trading founder pleads for return of $255K after $355K hack","type":"news","url":"https://www.bitget.com/news/detail/12560604677744"},{"credibility":2,"name":"Crypto.news — SIR.trading offers attacker $100K bounty after losing entire TVL","type":"news","url":"https://crypto.news/sir-trading-offers-attacker-100k-bounty-after-losing-entire-tvl-to-exploit/"}]},{"content":"The DeFi security community responded to the SIR.trading exploit with a mix of sympathy and critique. Several security researchers acknowledged the founder's transparency and the unusual nature of the attack vector. Sup Labs security researcher SupLabsYi characterized the incident as 'one of the first real-world attacks exploiting' Ethereum's transient storage vulnerabilities, attracting significant technical interest. Community sentiment was generally sympathetic toward the team given the protocol's non-VC, community-funded origins, four-year development history, and the founder's open acknowledgment of the loss — though critics noted that a single audit was insufficient for a protocol implementing cutting-edge Ethereum features with real user funds. The exploit attracted attention as an early data point on the security risks of EIP-1153 transient storage in production smart contracts. Separate from community reaction, an incidental note surfaced post-exploit: Xatarrer had reportedly been contacted by a suspicious job candidate who told a story about a 'North Korean operative being liquidated during a video call,' which Xatarrer had initially dismissed; this was noted by community observers as a potential social engineering precursor, though a direct causal link between this contact and the exploit was not established in the sources reviewed.","heading":"Community Reaction and Broader Context","severity":"medium","sources":[{"credibility":1,"name":"CoinTelegraph — DeFi protocol SIR.trading loses entire $355K TVL in exploit","type":"news","url":"https://cointelegraph.com/news/defi-protocol-sir-trading-loses-entire-355-k-tvl-exploit"},{"credibility":2,"name":"Rekt News — SIR Trading Rekt (community context)","type":"news","url":"https://rekt.news/sirtrading-rekt"},{"credibility":2,"name":"Cryptonomist — SIR.trading: Hacker steals entire TVL of $355,000","type":"news","url":"https://en.cryptonomist.ch/2025/03/31/sir-trading-hacker-steals-the-entire-tvl-of-355000-by-exploiting-a-vulnerability-in-ethereums-transient-storage/"},{"credibility":3,"name":"MoneyCheck — How SIR.trading Lost Everything in a Single Attack","type":"news","url":"https://moneycheck.com/worst-news-possible-how-sir-trading-lost-everything-in-a-single-attack/"}]},{"content":"Following the March 2025 exploit, the SIR team announced plans to rebuild and relaunch the protocol. According to the protocol's official documentation, the rebuilt version underwent four independent security audits prior to relaunch. The team sought auditors willing to work for token equity due to the loss of most operating capital. The relaunch application is accessible at app.sir.trading. The protocol's documentation also references expanded deployment beyond Ethereum to HyperEVM and MegaETH networks in the relaunched version. No stolen funds were returned by the attacker. As of the time of this investigation, the protocol's TVL and user adoption following the relaunch has not been independently reported in major news sources reviewed.","heading":"Relaunch and Current Status","severity":"medium","sources":[{"credibility":1,"name":"SIR App Interface","type":"official","url":"https://app.sir.trading/auctions"},{"credibility":1,"name":"SIR Official Documentation — Introducing SIR","type":"official","url":"https://docs.sir.trading"},{"credibility":2,"name":"Rekt News — SIR Trading Rekt (relaunch plans)","type":"news","url":"https://rekt.news/sirtrading-rekt"}]}],"sources_used":[{"name":"CoinTelegraph — DeFi protocol SIR.trading loses entire $355K TVL in 'worst news' possible","type":"news_article","url":"https://cointelegraph.com/news/defi-protocol-sir-trading-loses-entire-355-k-tvl-exploit"},{"name":"Rekt News — SIR Trading Rekt","type":"news_article","url":"https://rekt.news/sirtrading-rekt"},{"name":"Blockscope Research — SIR Protocol Exploit: Analyzing the Transient Storage Vulnerability","type":"research","url":"https://research.blockscope.co/sir-protocol-exploit/"},{"name":"DeFiHackLabs — SIR Exploit ~355k Loss Vulnerability Analysis","type":"research","url":"https://defihacklabs.substack.com/p/sir-exploit-355k-loss-vulnerability"},{"name":"Crypto.news — SIR.trading offers attacker $100K bounty after losing entire TVL","type":"news_article","url":"https://crypto.news/sir-trading-offers-attacker-100k-bounty-after-losing-entire-tvl-to-exploit/"},{"name":"Bitget News — SIR.trading founder pleads for return of $255K after $355K hack","type":"news_article","url":"https://www.bitget.com/news/detail/12560604677744"},{"name":"Cryptonomist — SIR.trading: Hacker steals entire TVL of $355,000","type":"news_article","url":"https://en.cryptonomist.ch/2025/03/31/sir-trading-hacker-steals-the-entire-tvl-of-355000-by-exploiting-a-vulnerability-in-ethereums-transient-storage/"},{"name":"CoinPaper — SIR.trading Loses Entire TVL in Devastating Hack","type":"news_article","url":"https://coinpaper.com/8281/sir-trading-loses-entire-tvl-in-devastating-hack"},{"name":"MoneyCheck — How SIR.trading Lost Everything in a Single Attack","type":"news_article","url":"https://moneycheck.com/worst-news-possible-how-sir-trading-lost-everything-in-a-single-attack/"},{"name":"FX Leaders — DeFi Protocol SIR.trading Suffers Catastrophic Hack","type":"news_article","url":"https://www.fxleaders.com/news/2025/03/31/defi-protocol-sir-trading-suffers-catastrophic-hack-losing-entire-355000-tvl/"},{"name":"GitHub — Egis-Security Audits Portfolio","type":"official","url":"https://github.com/Egis-Security/audits"},{"name":"SIR Official Documentation — Introducing SIR","type":"official","url":"https://docs.sir.trading"},{"name":"SIR Official Documentation — User Risks","type":"official","url":"https://docs.sir.trading/protocol-overview/user-risks"},{"name":"SIR Trading — Official Website","type":"official","url":"https://www.sir.trading/"},{"name":"SIR App Interface","type":"official","url":"https://app.sir.trading/auctions"},{"name":"Xatarrer X Profile","type":"other","url":"https://x.com/xatarrer"},{"name":"Defi-Planet — SIR.trading Founder Appeals to Hacker for Return of Stolen Funds","type":"news_article","url":"https://defi-planet.com/2025/04/sir-trading-founder-appeals-to-hacker-for-return-of-stolen-funds-after-355k-exploit/"}],"summary":"SIR.trading (Synthetics Implemented Right) is an Ethereum-based DeFi protocol launched on February 20, 2025, offering leveraged trading without liquidation risk or volatility decay. On March 30, 2025, an attacker exploited a transient storage vulnerability in the protocol's Vault contract to drain the entire $355,000 TVL — one of the first documented real-world exploits targeting Ethereum's EIP-1153 transient storage feature introduced in the Dencun upgrade. The protocol subsequently relaunched after completing additional security audits, but no stolen funds were recovered.","timeline":[{"date":"2021-01-01","event":"Pseudonymous founder Xatarrer begins developing SIR.trading over approximately four years without venture capital funding, supported by approximately $70,000 from community contributors.","source":"Rekt News","source_url":"https://rekt.news/sirtrading-rekt"},{"date":"2025-01-01","event":"Egis Security completes security audit of SIR.trading, finding 3 high-severity, 2 medium-severity, and 2 low-severity issues. The transient storage slot collision vulnerability is not identified.","source":"Rekt News / GitHub Egis-Security","source_url":"https://github.com/Egis-Security/audits"},{"date":"2025-01-30","event":"Attacker deploys malicious ERC-20 tokens and creates a controlled Uniswap V3 liquidity pool, beginning preparation for the exploit at 6:18 UTC.","source":"Blockscope Research","source_url":"https://research.blockscope.co/sir-protocol-exploit/"},{"date":"2025-02-20","event":"SIR.trading launches on Ethereum mainnet, growing to approximately $355,000–$400,000 TVL through organic growth without advertising.","source":"Rekt News","source_url":"https://rekt.news/sirtrading-rekt"},{"date":"2025-03-30","event":"Attacker exploits transient storage slot collision in the Vault contract's uniswapV3SwapCallback function, draining the entire $355,000 TVL in USDC, wBTC, and wETH. Stolen assets are immediately routed through Railgun. The exploit is detected by TenArmorAlert and Decurity.","source":"CoinTelegraph","source_url":"https://cointelegraph.com/news/defi-protocol-sir-trading-loses-entire-355-k-tvl-exploit"},{"date":"2025-03-31","event":"Founder Xatarrer issues on-chain plea to the attacker, offering $100,000 bounty to keep as compensation for the bug discovery and requesting the return of the remaining ~$255,000, pledging no legal action. Describes the event as 'the worst news a protocol can receive.'","source":"Crypto.news","source_url":"https://crypto.news/sir-trading-offers-attacker-100k-bounty-after-losing-entire-tvl-to-exploit/"},{"date":"2025-04-01","event":"Attacker does not respond to bounty offer. Stolen funds remain in Railgun. SIR team announces intent to relaunch and begins seeking auditors willing to accept token equity in lieu of payment.","source":"Rekt News","source_url":"https://rekt.news/sirtrading-rekt"},{"date":"2025-01-01","event":"Protocol relaunches at app.sir.trading following completion of four independent security audits. No stolen funds recovered. Relaunch expands to HyperEVM and MegaETH networks in addition to Ethereum.","source":"SIR Official Documentation","source_url":"https://docs.sir.trading"}]},"v":1}