After losing $355,000 in a smart contract exploit on March 30, the founder of decentralized finance protocol SIR.trading has issued an emotional onchain plea to the anonymous attacker, offering a $100,000 bounty in exchange for the return of the remaining funds.
In a March 31 message, SIR.trading’s pseudonymous founder, Xatarrer, addressed the attacker directly:
“Here is my proposal, keep $100k as a fair share for your critical bug find, and return the remaining to 0x5000Ff6Cc1864690d947B864B9FB0d603E8d1F1A. We’ll call it even. No legal games, no drama.”
Xatarrer emphasized that SIR.trading was born from four years of late-night coding and the financial backing of a small, grassroots community. With $70,000 in initial funding, raised from friends and early supporters, the team built the protocol without venture capital or marketing.
“If you keep 100% of the funds, there is no chance for us to survive.”
The founder even acknowledged the skill behind the attack, calling it “almost beautiful” if not for the damage done to real users.
So far, the attacker has not responded, and blockchain data shows the stolen funds were routed through Ethereum privacy protocol Railgun, according to Etherscan.
The Vulnerability: Transient Storage in Ethereum’s Dencun Upgrade
The exploit originated in a callback function within SIR.trading’s vulnerable vault contract, which made use of transient storage, a new feature added in Ethereum’s March 2024 Dencun upgrade. While transient storage was designed to lower gas costs for developers, it also introduced new complexities that, in this case, proved fatal.
The attacker manipulated the callback function to swap the legitimate Uniswap pool address with one under their own control. They then repeatedly invoked the function, draining the entire vault’s total value locked (TVL) into their address.
SIR.trading had marketed itself as “a new DeFi protocol for safer leverage,” aimed at addressing common pain points in leveraged trading—like liquidation risk and volatility decay.
Just one day before the onchain message, the SIR.trading team had expressed its intent to keep the protocol running and promised that impacted users “will not be forgotten.”
But without the return of funds, the project’s future now hangs in the balance.
The SIR.trading hack comes at a time when the industry is actively trying to shed its reputation for high-profile exploits.
According to blockchain security firm CertiK, crypto losses due to scams and exploits totaled $28.8 million in March. That figure includes an adjustment of $4.8 million recovered in the 1inch Resolver incident, where hackers returned funds.
However, that’s a stark improvement compared to February, which saw one of the worst exploit months in recent memory—headlined by the $1.4 billion Bybit hack.
Grassroots Projects Still Need Guardrails
SIR.trading’s story highlights a persistent reality in DeFi: even the most well-intentioned, community-backed projects remain vulnerable to sophisticated attacks, especially when integrating new blockchain features.
Whether or not the hacker accepts Xatarrer’s offer, the incident underscores the need for rigorous contract audits, fail-safes in emerging technologies, and more secure standards as DeFi continues to evolve.
For now, one founder and their community are left hoping that ethics will prevail over anonymity and that what was taken in seconds might still be partially returned in good faith.
