# TempleDAO's STAX Contract Hack Investigation

<figure><img src="https://3920319084-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUzLb2yEh5vprUvIcsmqQ%2Fuploads%2F4YbTxsGiRS0sgq1JIvoS%2FTempleDAO.jpg?alt=media&#x26;token=c2df5690-fb89-4552-a025-f4ce56a6e976" alt=""><figcaption></figcaption></figure>

## Exploit overview <a href="#fa2a" id="fa2a"></a>

On October 11, 2022 the DeFi protocol TempleDAO was exploited. About $2,3M worth of funds were withdrawn from the platform contract at that time. The amount is 4% of the total amount of funds involved in the TempleDAO. The attacker then moved the funds to [TornadoCash](https://www.coindesk.com/tech/2022/10/17/templedao-exploiter-moves-ether-worth-over-25m-to-tornado-cash/).

Here is the invocation flow of the transaction <https://phalcon.blocksec.com/tx/eth/0x4b119a4f4ba1ad483e9851973719f310527b43f3fcc827b6d52db9f4c1ddb6a2>

The account of a hacker was linked to Binance as per [this tweet](https://twitter.com/officer_cia/status/1579843881050730499).

## What happened? <a href="#d1df" id="d1df"></a>

As it can be observed at the invocation flow the attacker used the privileged *migrateStake* function to gain access to the funds that he was not supposed to.

321154 *xLP* tokens were withdrawn from the *xLP Staking contract.* Then xLP tokens were swapped for *$TEMPLE* and *$FRAX* tokens. *$TEMPLE* tokens were then sold for *$FRAX* tokens. As the result hacker ended up with *$FRAX* tokens which then were moved to TornadoCash in multiple transactions.

Watch transaction history of this address for exact transaction details <https://etherscan.io/address/0x2b63d4a3b2db8acbb2671ea7b16993077f1db5a0>

## The root of the problem <a href="#f6cb" id="f6cb"></a>

**Smart-contract programmers mistake.** In Solidity programming language there are function modifiers that define access restrictions in most cases.

As it is shown on the code snipped above there is an “onlyOwner” modifier on a privileged function which defines that only special account with “owner” privileges can use this function.

The same access restriction modifier should have been used on *migrateStake()* function. However the smart-contract developer forgot to add it.

## Conclusions <a href="#id-8c07" id="id-8c07"></a>

It can be concluded that the contract was not properly tested and the code review was not conducted.

The issue was very easy to avoid if even a junior-level solidity developer would have to review the code before deployment.

The issue could be fixed easily by just adding the modifier before code deployment.