Around 9:11 a.m on October 11, EST, a withdrawal from the project’s STAX staking vault occurred. According to Etherscan data. As announced on TempleDAO official Discord, withdrawal was “exactly 1,418,303 TEMPLE and 1,362,438 FRAX”.
As revealed by one of their contributors, the CORE vaults, which contain more than $100 million in stablecoins, are unaffected. The exploiter can do no further harm. The contributor also promised that all impacted users will receive fixes.
Defi Llama stated; the total value locked on Temple DAO is $56.93 million, with the exploit accounting for almost 4% of the protocol’s holdings. All funds were converted to Ethereum by the exploiter, who also moved $2.34 million to a new wallet.
The stablecoin FRAX was exchanged for the TEMPLE tokens. The wallet address in question was connected to a Binance account, which gave the initial funds to the wallet address being exploited. About one and a half hours before the exploit, it received 1.1 ETH.
Blockchain security company Paladin stated that the TempleDAO hack is connected to a non-bridge-related smart contract.
Due to “multiple malpractices” in one of the staking mechanisms, users could transfer staked tokens from an earlier contract as a result of this attack. The exploiter dialed a false number for this particular function, granting them access to the vault and allowing them to extract all the funds without regard for the new contract.
After the theft of the staking vault, the price of the token briefly dropped by 20%.
In the meantime, the dApp has been removed by TempleDAO to prevent unintentional use. The team persuaded the hacker to return the funds offering him a legal bounty for the exploit.