Temple DAO hacked for over $2.3M
TempleDAO has taken down the dApp to avoid accidental usage and is offering the hacker a legal bounty for the exploit.
DeFi protocol Temple DAO lost over $2.3 million on Oct. 11 to a hack first spotted by Twitter user Spreekaway and confirmed by blockchain analytical firm Peckshield.
#PeckShieldAlert Seems like @templedao got exploited. The exploiter funded from SimpleSwap and already transferred 1,831 $ETH (~$2.34M) to a new address 0x2B63d…B5A0 @peckshield https://t.co/bOyOARyyxY pic.twitter.com/SVEm8o95U6
— PeckShieldAlert (@PeckShieldAlert) October 11, 2022
According to Peckshield, the hacker funded the attack from SimpleSwap and has transferred 1,831 ETH to a new address, 0x2B63d.
TempleDAO retweeted a Twitter thread about the exploit from the DeFi protocol Stax Finance. According to the thread, 321,154 xLP tokens were stolen from the xLP Staking contract and converted to 1,418,303 $TEMPLE tokens and 1,262,438 $FRAX. The TEMPLE tokens were also later sold for FRAX.
It was revealed that the hacker exploited a “missing onlyMigrator check” function in the StaxLPStaking contract.
Meanwhile, TempleDAO has taken down the dApp to avoid accidental usage. The team urged the hacker to return the funds, offering him a legal bounty for the exploit.
Another blockchain security firm CertiK wrote that the “cause of this attack is that migrateStake function does not check if the input oldStaking is expected. As a result, attackers can forge oldStaking contracts to arbitrarily add balances.”
Project @templedao (TEMPLE) has been exploited for ~$2M.
It appears that EOA 0x9c9F… received ~1831 ETH from the exploit & and has transferred the funds to 0x2B63…
More information on the incident coming soon.
Stay safe out there! pic.twitter.com/r7I7XlufPY
— CertiK Alert (@CertiKAlert) October 11, 2022