STAX contract of the TempleDAO investigation by Callisto Security Department
On October 11, 2022 the DeFi protocol TempleDAO was exploited. About $2,3M worth of funds were withdrawn from the platform contract at that time. The amount is 4% of the total amount of funds involved in the TempleDAO. The attacker then moved the funds to TornadoCash.
Here is the invocation flow of the transaction https://phalcon.blocksec.com/tx/eth/0x4b119a4f4ba1ad483e9851973719f310527b43f3fcc827b6d52db9f4c1ddb6a2
The account of a hacker was linked to Binance as per this tweet.
As it can be observed at the invocation flow the attacker used the privileged migrateStake function to gain access to the funds that he was not supposed to.
321154 xLP tokens were withdrawn from the xLP Staking contract. Then xLP tokens were swapped for $TEMPLE and $FRAX tokens. $TEMPLE tokens were then sold for $FRAX tokens. As the result hacker ended up with $FRAX tokens which then were moved to TornadoCash in multiple transactions.
Watch transaction history of this address for exact transaction details https://etherscan.io/address/0x2b63d4a3b2db8acbb2671ea7b16993077f1db5a0
The root of the problem
Smart-contract programmers mistake. In Solidity programming language there are function modifiers that define access restrictions in most cases.
As it is shown on the code snipped above there is an “onlyOwner” modifier on a privileged function which defines that only special account with “owner” privileges can use this function.
The same access restriction modifier should have been used on migrateStake() function. However the smart-contract developer forgot to add it.
It can be concluded that the contract was not properly tested and the code review was not conducted.
The issue was very easy to avoid if even a junior-level solidity developer would have to review the code before deployment.
The issue could be fixed easily by just adding the modifier before code deployment.