An estimated $2.3 million worth of TempleDAO and its related project, STAX Finance, have been compromised.
An update from STAX recognized the attack. It stated that on October 11, the attacker was successful in stealing 321,154 xLP altogether. The 1.3 million FRAX and 1.4 million TEMPLE were exchanged for those tokens. Then, the TEMPLE tokens were exchanged for the FRAX token.
The attack cost more than $2.3 million based on the market value of those tokens. 1,831 ETH, or $2.34 million, according to PeckShield’s estimation, were taken during the incident.
Since it has stopped the dApp to prevent accidental access, STAX has urged users not to add any additional money to its contracts until the issue has been fixed.
The project stated that “remediations will be provided for all impacted users” and that the problem is “already under control and the exploiter can do no further harm.”
STAX further stated that it is “following up with Binance” over the situation. It must be attempting to monitor or restrict the flow of funds through the exchange. Several reports claim that the perpetrator first transferred money from a Binance account.
Last but not least, STAX said that it would establish a white hat bounty program to encourage the recovery of stolen money and raise the bounty it already gives through Hats Finance.
A staking-related smart contract’s inadequate access restriction made the attack possible. In order to invoke a certain function in that contract and request the transfer of cash, the attacker was able to create a fake smart contract.
Because its “vault contracts share no common code with STAX, have been inspected by PeckShield, and remain secure,” according to TempleDAO, the attack’s limited scope is highlighted by the company.