Callisto Network
WebsiteSecurity DepartmentTwitter
  • Whitepaper
    • ๐Ÿ‡ฎ๐Ÿ‡นWhitepaper (ITA)
    • ๐Ÿ‡ฎ๐Ÿ‡ณWhitepaper (TELUGU)
    • ๐Ÿ‡ฎ๐Ÿ‡ณWhitepaper (HINDI)
    • ๐Ÿ‡จ๐Ÿ‡ณWhitepaper (CN Traditional)
    • ๐Ÿ‡ญ๐Ÿ‡ฐWhitepaper (CN Simplified)
    • ๐Ÿ‡ซ๐Ÿ‡ทWhitepaper (FR)
    • ๐Ÿ‡ต๐Ÿ‡ญWhitepaper (PH)
  • ๐Ÿ“ŒStrategic Plan
  • Callisto Network Vision
  • ๐Ÿš€Callisto Network Progress Tracker
  • ๐Ÿ—“๏ธEcosystem Reports
    • Callisto Monthly - February 2023
    • Callisto Monthly - January 2023
      • ๐Ÿ‡ฎ๐Ÿ‡นCallisto Monthly - January 2023 (ITA)
      • ๐Ÿ‡ซ๐Ÿ‡ทCallisto Monthly - January 2023 (FR)
      • ๐Ÿ‡ฎ๐Ÿ‡ณCallisto Monthly - January 2023 (TELUGU)
    • Callisto Monthly - December 2022
      • ๐Ÿ‡ฎ๐Ÿ‡นCallisto Monthly - December 2022 (ITA)
      • ๐Ÿ‡ซ๐Ÿ‡ทCallisto Monthly - December 2022 (FR)
      • ๐Ÿ‡ต๐Ÿ‡ญCallisto Monthly - December 2022 (PHI)
    • Callisto Monthly - November 2022
      • ๐Ÿ‡ซ๐Ÿ‡ทCallisto Monthly - November 2022 (FR)
      • ๐Ÿ‡ฎ๐Ÿ‡นCallisto Monthly - November 2022 (ITA)
      • ๐Ÿ‡ฎ๐Ÿ‡ณCallisto Monthly - November 2022 (TELEGU)
    • Callisto Monthly - October 2022
      • ๐Ÿ‡ฎ๐Ÿ‡นCallisto Monthly - October 2022 (ITA)
      • ๐Ÿ‡ซ๐Ÿ‡ทCallisto Monthly - October 2022 (FR)
      • ๐Ÿ‡ต๐Ÿ‡ญCallisto Monthly - October 2022 (PHI)
      • ๐Ÿ‡จ๐Ÿ‡ณCallisto Monthly - October 2022 (CN Simplified)
      • ๐Ÿ‡ญ๐Ÿ‡ฐCallisto Monthly - October 2022 (CN Traditional)
      • ๐Ÿ‡ท๐Ÿ‡บMonthly - October 2022 (RU)
    • Callisto Monthly - September 2022
      • ๐Ÿ‡ฎ๐Ÿ‡นCallisto Monthly - September 2022 (ITA)
      • ๐Ÿ‡ซ๐Ÿ‡ทCallisto Monthly - September 2022 (FR)
      • ๐Ÿ‡ต๐Ÿ‡ญCallisto Monthly - September 2022 (PHI)
      • ๐Ÿ‡จ๐Ÿ‡ณCallisto Monthly - September 2022 (CN Simplified)
      • ๐Ÿ‡ญ๐Ÿ‡ฐCallisto Monthly - September 2022 (CN Traditional)
    • Callisto Monthly - August 2022
      • ๐Ÿ‡ฎ๐Ÿ‡นCallisto Monthly - August 2022 (ITA)
      • ๐Ÿ‡ซ๐Ÿ‡ทCallisto Monthly - August 2022 (FR)
      • ๐Ÿ‡ต๐Ÿ‡ญCallisto Monthly - August 2022 (PH)
    • Callisto Monthly - July 2022
      • ๐Ÿ‡ฎ๐Ÿ‡นCallisto Monthly - July 2022 (ITA)
    • Callisto Monthly - June 2022
    • Callisto Monthly - May 2022
    • Callisto Monthly - April 2022
    • Callisto Monthly - March 2022
  • Technologies
    • ๐Ÿ“ˆCallisto Dynamic Monetary Policy
      • Crypto-models To Overcome Inflation and Callisto Network's Approach
      • Skuld Hard Fork - Update On Progress
    • ๐ŸงŠCold Staking
      • Cold Staking And PoS Staking Comparison
    • ๐Ÿช™Wrapped Callisto (ccCLO)
    • ยฎ๏ธDexNS 2021
    • โ›๏ธProof of Work
      • ZPoW #1 - Exploiting The Block Time & Block Size
      • Callisto Network Introduces the Dynamic Gas Price
    • โ“‚๏ธCallisto Network Masternodes
    • ๐ŸŽ“Tutorials
      • Setting Up Metamask For Callisto Network
        • Update the RPC URL in MetaMask
      • How to buy Callisto with Your Credit Card
      • How to Run a Callisto Network Node?
      • Callisto Network Masternodes Set-up
    • ๐ŸŒCallisto Hub
    • ๐ŸงฉWeb 3.0 Infrastructure
    • ๐Ÿ”Chain Inspector
  • We Fund You!
    • ๐Ÿ’ฒWe Fund You!
      • We Fund You Award - 1st Edition
  • Security Department
    • ๐Ÿ”Auditing Department
      • Auditing Department Amendment v5
    • ๐Ÿ“–Documentation
      • ๐Ÿ›ก๏ธSecurity Department Best Practices
      • ๐Ÿช™ERC 223 Token Standard
        • ERC20 Standard Main Issue
      • ๐Ÿ–ผ๏ธCallistoNFT Standard
        • Roadmap
      • โœ–๏ธCross-Chain Bridges Security Model
    • Products & Services
      • ๐Ÿ”Security Audits For Smart Contracts
        • Mission: Securing The Smart Contracts Ecosystem
        • Trust and Smart Contracts: Code is the Limit
    • ๐ŸคVarious Contributions
      • Ethereum Classic
        • ECIP-1092 51attack solution: PirlGuard & Callisto proposal
      • Ethereum
        • Statement regarding Geth v1.10.8 split
      • EOS
        • Page 1Chintai (EOS resource exchange) low severity issue.
        • EOS congestion 9/13/2019 and EOSPlay hack
      • Ultimate solution to 51% attacks: amend the Nakamoto consensus
  • Hack Investigation Dept.
    • Hack Investigation Department
    • Helio Exploit
    • Binance Bridge Hack
    • TempleDAO's STAX Contract Hack Investigation
    • NFT Theft Analysis
    • AUDIUS Governance System Exploit Overview
    • LUNA โ€˜Hardforkโ€™ Review
  • One Earth, One Heart
    • ๐ŸŒŽOne Earth, One Heart
    • ๐Ÿ’šCallisto Charity Efforts
  • Community
    • ๐Ÿ“ฅCallisto Network Improvement Proposals
    • ๐Ÿ’ฌCallisto AMAs
      • Callisto Team's Ask Me Anything on 04/05/2023
      • Callisto Team's Ask Me Anything on 03/03/2023
      • Callisto Team's Welcome AMA on 10/11/2022
      • Callisto Team's Ask Me Anything on 10/10/2022
      • Callisto Security Team's Ask Me Anything on 02/09/2022
      • Callisto Team's Ask Me Anything on 28/07/2022
      • Dexaran's Ask Me Anything on 11/04/2022
    • ๐Ÿ“ŒGet Started
  • Callisto Enterprise
    • ๐Ÿช™Callisto Enterprise Token
      • Vision and Tokenomics
    • ๐Ÿ‘ฅTeam
      • Callisto Team Motivation System
  • In The Press
    • ๐ŸŸขCallisto Network
      • Ethereum, Ethereum Classic, Callisto Network, A Common History
      • Callisto Network: Three Years After Mainnet Launch
      • Czech Ethereum Killer
    • ๐Ÿ–ผ๏ธNFTs
      • Artist Creates And Then Destroys Art To Launch CallistoNFT
      • Security Network Develops New NFT Standard To Address ERC-721 Flaws
  • Miscellaneous
    • ๐ŸงฉMedia Kit
Powered by GitBook
On this page
  • Exploit overview
  • What happened?
  • The root of the problem
  • Conclusions
  1. Hack Investigation Dept.

TempleDAO's STAX Contract Hack Investigation

PreviousBinance Bridge HackNextNFT Theft Analysis

Last updated 2 years ago

Exploit overview

On October 11, 2022 the DeFi protocol TempleDAO was exploited. About $2,3M worth of funds were withdrawn from the platform contract at that time. The amount is 4% of the total amount of funds involved in the TempleDAO. The attacker then moved the funds to .

What happened?

As it can be observed at the invocation flow the attacker used the privileged migrateStake function to gain access to the funds that he was not supposed to.

321154 xLP tokens were withdrawn from the xLP Staking contract. Then xLP tokens were swapped for $TEMPLE and $FRAX tokens. $TEMPLE tokens were then sold for $FRAX tokens. As the result hacker ended up with $FRAX tokens which then were moved to TornadoCash in multiple transactions.

The root of the problem

Smart-contract programmers mistake. In Solidity programming language there are function modifiers that define access restrictions in most cases.

As it is shown on the code snipped above there is an โ€œonlyOwnerโ€ modifier on a privileged function which defines that only special account with โ€œownerโ€ privileges can use this function.

The same access restriction modifier should have been used on migrateStake() function. However the smart-contract developer forgot to add it.

Conclusions

It can be concluded that the contract was not properly tested and the code review was not conducted.

The issue was very easy to avoid if even a junior-level solidity developer would have to review the code before deployment.

The issue could be fixed easily by just adding the modifier before code deployment.

Here is the invocation flow of the transaction

The account of a hacker was linked to Binance as per .

Watch transaction history of this address for exact transaction details

https://phalcon.blocksec.com/tx/eth/0x4b119a4f4ba1ad483e9851973719f310527b43f3fcc827b6d52db9f4c1ddb6a2
this tweet
https://etherscan.io/address/0x2b63d4a3b2db8acbb2671ea7b16993077f1db5a0
TornadoCash