<p>On March 30, 2025, the DeFi protocol <strong>SIR.trading</strong> was hacked, resulting in the loss of $355,000 at the time of the writing. The attack was caused by a mistake when performing gas optimization using new <strong><a href="https://eips.ethereum.org/EIPS/eip-1153" rel="nofollow">EIP-1153</a></strong><a href="https://eips.ethereum.org/EIPS/eip-1153" rel="nofollow"> - </a><strong><a href="https://eips.ethereum.org/EIPS/eip-1153" rel="nofollow">Transient storage opcodes</a>.</strong></p><h3><strong>Overview</strong></h3><p>Attacker: <a href="https://etherscan.io/address/0x27defcfa6498f957918f407ed8a58eba2884768c" rel="nofollow">https://etherscan.io/address/0x27defcfa6498f957918f407ed8a58eba2884768c</a></p><p>Vulnerable Contract: <a href="https://etherscan.io/address/0xb91ae2c8365fd45030aba84a4666c4db074e53e7#code" rel="nofollow">https://etherscan.io/address/0xb91ae2c8365fd45030aba84a4666c4db074e53e7#code</a></p><p>Transaction attack: <a href="https://etherscan.io/tx/0xa05f047ddfdad9126624c4496b5d4a59f961ee7c091e7b4e38cee86f1335736f" rel="nofollow">https://etherscan.io/tx/0xa05f047ddfdad9126624c4496b5d4a59f961ee7c091e7b4e38cee86f1335736f</a></p><p><strong>EIP-1153 </strong><a href="https://eips.ethereum.org/EIPS/eip-1153" rel="nofollow">- </a><strong>Transient storage opcodes</strong> adds 2 opcodes for manipulating state that behaves almost identically to storage but is discarded after every transaction: </p><ul><li><p><code>TLOAD</code> pops one 32-byte word from the top of the stack, treats this value as the address, fetches 32-byte word from the transient storage at that address, and pushes the value on top of the stack.</p></li><li><p><code>TSTORE</code> pops two 32-byte words from the top of the stack. The word on the top is the address, and the next is the value. <code>TSTORE</code> saves the value at the given address in the transient storage.</p></li></ul><p>Addressing is the same as <code>SLOAD</code> and <code>SSTORE</code>. i.e. each 32-byte address points to a unique 32-byte word.</p><p>Gas cost for <code>TSTORE</code> is the same as a warm <code>SSTORE</code> of a dirty slot (i.e. original value is not new value and is not current value, currently 100 gas), and gas cost of <code>TLOAD</code> is the same as a hot <code>SLOAD</code> (value has been read before, currently 100 gas). Gas cost cannot be on par with memory access due to transient storage’s interactions with reverts.</p><p>All values in transient storage are discarded at the end of the transaction so basically we can use them like a cheaper storage that only last for a transaction. One use-case is the Reentrancy Locks. </p><div><figure><a href="https://substackcdn.com/image/fetch/f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa9a6f8e3-4cf0-4280-a40f-629338bc8a56_964x482.png" rel="nofollow"><div><picture><source><img src="https://static.fwimg.io/img/feed/93746412e766de54ffea2995b96b8654.jpg" alt=""></source></picture><div><div><div></div><div></div></div></div></div></a></figure></div><h3><strong>Exploit Analysis</strong></h3><ul><li><p>In the <strong>mint</strong> function, the <strong>Vault</strong> contract of <strong>SIR.trading</strong> uses transient storage to to store <strong>UniswapV3pool</strong> address before performing <strong>swap.</strong></p></li></ul><div><figure><a href="https://substackcdn.com/image/fetch/f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F39229473-4f27-4fb5-9bf7-3de74f7a2e41_900x366.png" rel="nofollow"><div><picture><source><img src="https://static.fwimg.io/img/feed/fdebf86cab3ff67724499545f3bdb8c7.jpg" alt=""></source></picture><div><div><div></div><div></div></div></div></div></a></figure></div><ul><li><p>The pool address stored in transient storage <strong>0x1</strong> is later uses in <strong>uniswapV3SwapCallback</strong> to verify that the <strong>msg.sender</strong> is <strong>Uniswapv3 pool</strong> and then transfer tokens to the pool to performing swap. </p></li></ul><div><figure><a href="https://substackcdn.com/image/fetch/f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd5a089fa-343f-4995-83c1-ca5fc66d6de8_936x849.png" rel="nofollow"><div><picture><source><img src="https://static.fwimg.io/img/feed/29b643f1284b4cc4bd4b4689d40a58e2.jpg" alt=""></source></picture><div><div><div></div><div></div></div></div></div></a></figure></div><ul><li><p>The implementation is correct up to this point, but then they need to return the <strong>amount</strong> to the <strong>mint</strong> function. They try to save gas costs again by using transient storage: storing the <strong>amount</strong> in transient storage <strong>0x1</strong> and loading it in the <strong>mint</strong> function.</p></li></ul><div><figure><a href="https://substackcdn.com/image/fetch/f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1cd2363f-b5fe-4f73-a423-289b678175d5_730x72.png" rel="nofollow"><div><picture><source><img src="https://static.fwimg.io/img/feed/b35dbcc2f390b6acc1e335baa5aecec8.jpg" alt=""></source></picture><div></div></div></a></figure></div><div><figure><a href="https://substackcdn.com/image/fetch/f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F97ac82f3-9cdb-4e99-bfb7-d218f0e49dd0_896x75.png" rel="nofollow"><div><picture><source><img src="https://static.fwimg.io/img/feed/5b584cb6303f09db5fd86acc9d22d58f.jpg" alt=""></source></picture><div></div></div></a></figure></div><ul><li><p>This is where the pitfall occurs. The transient storage <strong>0x1 </strong>is now overwritten with <strong>amount </strong>and the transient storage remains for the whole transaction so if in this transaction, we call <strong>uniswapV3SwapCallback</strong> function again, it will load the <strong>0x1 </strong>which is now the <strong>amount</strong> instead of the pool address. Since the <strong>amount </strong>can be controlled by crafting  arguments in <strong>uniswapV3SwapCallback</strong> function, attacker bruteforced an address<strong> 0x00000000001271551295307acc16ba1e7e0d4281 </strong>(<strong>amount </strong>= <strong>95759995883742311247042417521410689</strong>).</p></li><li><p>The attacker deployed contract <strong>0x00000000001271551295307acc16ba1e7e0d4281</strong> with <strong>CREATE2, </strong>provided crafted arguments to <strong>mint</strong> exactly the number of tokens above, successfully manipulating the transient storage <strong>0x1</strong> to the <strong>amount (0x00000000001271551295307acc16ba1e7e0d4281)</strong>. The contract then<strong> </strong>directly called <strong>uniswapV3SwapCallback</strong>, bypass the <strong>Uniswapv3 pool</strong> check and transferred tokens from the vault to the attacker’s wallet.</p></li></ul><div><figure><a href="https://substackcdn.com/image/fetch/f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe888d1df-05fe-4596-ba91-65ee185bf893_1080x630.png" rel="nofollow"><div><picture><source><img src="https://static.fwimg.io/img/feed/fc560f2575e83caf61e46537e7cec4ad.jpg" alt=""></source></picture><div><div><div></div><div></div></div></div></div></a></figure></div><h3><strong>Conclusion</strong></h3><p><strong><a href="https://eips.ethereum.org/EIPS/eip-1153" rel="nofollow">EIP-1153</a></strong><a href="https://eips.ethereum.org/EIPS/eip-1153" rel="nofollow"> - </a><strong><a href="https://eips.ethereum.org/EIPS/eip-1153" rel="nofollow">Transient storage opcodes</a> </strong>introduces a great way to save gas cost but with the great power comes with great responsibility. Smart contract developers should understand the lifetime of transient storage variables before use.</p><p>Because transient storage is automatically cleared at the end of the transaction, <strong>smart contract developers may be tempted to avoid clearing slots as part of a call in order to save gas</strong>. However, this could prevent further interactions with the contract in the same transaction (e.g. in the case of re-entrancy locks) or cause other bugs, so smart contract developers should be careful to <em><strong>only</strong></em><strong> leave transient storage slots with nonzero values when those slots are intended to be used by future calls within the same transaction</strong>. Otherwise, these opcodes <strong>behave exactly the same as </strong><code>SSTORE</code><strong> and </strong><code>SLOAD</code>, so all the usual security considerations apply especially in regard to <strong>reentrancy</strong> <strong>risk</strong>.</p><p>In the SIR.trading case, they did not clear the <strong>0x1</strong> slot after using it to store the <strong>uniswapPool</strong> and <strong>amount</strong>, and they also reused the <strong>0x1</strong> for the <strong>amount</strong>, which led to the exploitation.</p><p>Smart contract developers need to carefully understand the new features, especially the breaking changes, before using them. Always remember to review the <strong>EIPs</strong> carefully, including all security considerations, when implementing them.</p><p>Additionally, it is strongly recommended to <strong>conduct a security audit</strong>, not only for the first release version but also for any new features added in the future. Since the upgrading process can introduce various issues, it should also be thoroughly audited.</p>

EIP-1153 - Transient Storage: Save Gas, Lose Bag

<p>2025年3月30日，去中心化金融协议<strong>SIR.trading</strong>遭到黑客攻击，造成损失35.5万美元。攻击是由使用新的<strong><a href="https://eips.ethereum.org/EIPS/eip-1153" rel="nofollow">EIP-1153</a></strong><a href="https://eips.ethereum.org/EIPS/eip-1153" rel="nofollow"> - </a><strong><a href="https://eips.ethereum.org/EIPS/eip-1153" rel="nofollow">临时存储操作码</a></strong>进行gas优化时的错误引起的。</p><h3><strong>概述</strong></h3><p>攻击者：<a href="https://etherscan.io/address/0x27defcfa6498f957918f407ed8a58eba2884768c" rel="nofollow">https://etherscan.io/address/0x27defcfa6498f957918f407ed8a58eba2884768c</a></p><p>漏洞合约：<a href="https://etherscan.io/address/0xb91ae2c8365fd45030aba84a4666c4db074e53e7#code" rel="nofollow">https://etherscan.io/address/0xb91ae2c8365fd45030aba84a4666c4db074e53e7#code</a></p><p>攻击交易：<a href="https://etherscan.io/tx/0xa05f047ddfdad9126624c4496b5d4a59f961ee7c091e7b4e38cee86f1335736f" rel="nofollow">https://etherscan.io/tx/0xa05f047ddfdad9126624c4496b5d4a59f961ee7c091e7b4e38cee86f1335736f</a></p>

EIP-1153 - 暂时存放：节省 Gas，丢弃袋子

加密货币分析公司 Alphractal 在其最新报告中对竞争币市场做出了引人注目的观察。
据报道，ENA 和 TRUMP 在山寨币中脱颖而出，拥有较高的...

分析公司警告：“暂时远离这 7 种山寨币”

原文 | Kyle（@0 xkyle__）
编译 | Odaily 星球日报（@OdailyChina）
译者| 叮当（@XiaMiPP）
编者按：最近，加密行业最火热、也最有趣的叙事之一，来自于 Collector Crypt 将 TCG（集换式卡牌游戏）带上链的尝试。其原生代币 CARDS 在短时间内上涨近十倍，也让人们重新思考加密与现实收藏品结合的潜力。本文作者 Kyle 聚焦于 Colle...

深挖CARDS真正价值：Collector Crypt的五重护城河

Dogecoin的价格仍远低于历史最高价，而其他高市值加密货币却不断创下纪录。Doge能否再次闪耀？