Stax Finance, Temple DAO based project was hacked which cost them approximately $2.36 million.

TL;DR

On October 11, 2022, the TempleDAO based project, Stax Finance was hacked, costing them approximately $2.36 million.

Introduction to TempleDAO

Temple DAO is a yield-farming DeFi protocol that offers users yields on deposits. Stax is a decentralized application powered by TempleDAO.

Vulnerability Assessment

The potential cause of the incident is that the migrateStake function did not check the oldStaking, so the attacker forged the oldStaking contract to arbitrarily add the balance.

Steps

Step 1:

The exploiter address can be found here, alongside the attack transaction 0x8c3f442fc6d640a6ff3ea0b12be64f1d4609ea94edd2966f42c01cd9bdcf04b5.

Step 2:

The account was initially funded in through Binance for 1.09 ETH.

Step 3:

The lack of permission checks in the migrateStake function of the StaxLPStaking contract is the primary reason behind this incident.

Step 4:

First, the contract determines if the user has funds in the old Staking Contract.

Step 5:

The oldStakingContract may be any contract because there were no prior checks. The staking contract has also been passed as an argument.

Step 6:

Anyone can use this function to withdraw StaxLP from the contract.

Step 7:

The hacker creates his own Smart Contract, which consists of only a migrateWithdraw function with no code.

Step 8:

Then, using his own smart contract and the maximum amount possible, he calls the migrateStake function.

Step 9:

All the tokens were withdrawn using the withdrawAll function.

Step 10:

The exploiter then closed the position on Uniswap and sold everything for ETH.

Step 11:

The exploiter eventually transferred all of the stolen assets to this address 0x2b63d4a3b2db8acbb2671ea7b16993077f1db5a0.

Aftermath

The team has stated that they will make remediation to all affected users.

How to prevent such an attack vector

This exploit could have been avoided with a sanity check of only accepting whitelisted old staking contracts.