Background
The Ethereum Dencun upgrade introduces transient storage, a temporary storage feature that is only valid during transactions, aimed at improving the efficiency of complex transactions. Transient storage is implemented through TLOAD and TSTORE opcodes, with data cleared at the end of the transaction. However, this new feature also brings potential security risks, especially in decentralized finance (DeFi) protocols.
On March 30, 2025, the DeFi protocol SIR.trading suffered a hack, with attackers exploiting the vulnerabilities of transient storage, leading to a total loss of $355,000 in TVL.
Key Points
Research indicates that the hacker exploited the transient storage feature in the Ethereum Dencun upgrade to steal funds by replacing the Uniswap pool address, possibly due to the reuse of storage slots in the same transaction leading to type confusion.
Evidence tends to show that the hacker set values in the storage slot such that their lowest 160 bits matched their address, thus bypassing caller verification.
This vulnerability appears to be related to errors in transient storage management by smart contracts, particularly in the Uniswap V3 swap callback function.
Exploitation Process
Attackers exploited the vulnerabilities of transient storage, as follows:
The smart contract stores the Uniswap V3 pool address in transient storage slot 1 during the mint function.
In the same transaction, the contract later stores the minting amount (a particular value) in the same slot, overwriting the previous pool address.
The attacker sets the minting amount so that its lowest 160 bits match their address.
The attacker then directly calls the callback function, and the contract loads the value from slot 1 as an address, comparing it with msg.sender. Since the value in slot 1 has been set to the attacker's address, the verification passes, allowing them to perform unauthorized operations such as transferring funds.
Detailed Report
Analysis of the Ethereum Dencun Upgrade transient storage vulnerability and Uniswap pool address replacement
1. Ethereum Dencun Upgrade
The Ethereum Dencun upgrade is one of the largest updates since The Merge, aimed at enhancing scalability and efficiency by introducing features like transient storage. Transient storage is introduced through EIP-1153, providing temporary storage during transactions, with data cleared at the end of the transaction. However, on March 30, 2025, the DeFi protocol SIR.trading suffered a hack, losing a total of $355,000 in TVL, revealing potential security risks of transient storage. This report provides a detailed analysis of how the hacker exploited this feature to steal funds by replacing the Uniswap pool address.
2. Overview of Dencun Upgrade and Transient Storage
The Dencun upgrade combines changes from Cancun (execution layer) and Deneb (consensus layer), introducing multiple EIPs including EIP-1153, which adds TLOAD and TSTORE opcodes, implementing transient storage. The behavior of transient storage is similar to existing storage but is only valid during the transaction, intended to reduce gas costs for complex transactions. According to Ethereum Dencun Upgrade Explained, this feature is particularly suitable for optimizing smart contract execution efficiency, such as in the flash accounting of Uniswap V4.
3. SIR.trading Attack Incident
On March 30, 2025, SIR.trading (also known as Synthetics Implemented Right) suffered a hack, losing its entire TVL. The blockchain security companies TenArmorAlert and Decurity first detected the attack and issued alerts via X. According to DeFi protocol SIR.trading loses entire $355K TVL in exploit, the attack exploited the transient storage feature introduced in the Ethereum Dencun upgrade, specifically targeting the uniswapV3 SwapCallback function of the Vault contract.
4. Attack Steps
According to SlowMist's analysis 'Fatal Residue | An On-Chain Heist Triggered by Transient Storage', the attack process is as follows:
4.1. Creating malicious tokens
The attacker created two malicious tokens A and B, adding liquidity to the Uniswap V3 pool, with A being the attack contract.
4.2. Initializing the market
Call the initialize function of the Vault contract, using A as collateral and B as debt, to create the APE-21 market.
4.3. Calling the mint function
Deposit B, Mint APE; the mint function stores the Uniswap V3 pool address in transient storage slot 1 during the minting period, with a minting amount of 95759995883742311247042417521410689.
4.4. Deploying malicious contracts
Deployed malicious contracts through Keyless CREATE2 Factory, with the address 0x00000000001271551295307acc16ba1e7e0d4281, matching the transient storage value.
4.5. Calling the callback function
Using the malicious contract to call uniswapV3SwapCallback, transferring tokens; setting the minting amount to 1337821702718000008706643092967756684847623606640, matching the attack contract address 0xea55fffae1937e47eba2d854ab7bd29a9cc29170.
4.6. Transferring Funds
Using the attack contract (token A) to call uniswapV3SwapCallback again, transferring WBTC and WETH from the Vault contract.
Vulnerability Root Cause
The root cause of the attack lies in the reuse of transient storage slot 1. The Vault contract stores the Uniswap V3 pool address in slot 1 during the mint function, and subsequently loads that address in the callback function to verify the caller. However, in the same transaction, the contract stores the minting amount (a value) in the same slot, overwriting the previous pool address. Since the storage slots in EVM are 256 bits, when the address (20 bytes, 160 bits) is stored, the high bits are padded with zeros, while the value may exceed 160 bits.
The attacker exploited this type confusion by setting the minting amount to a value whose lowest 160 bits matched their address (for example, address 0xea55fffae1937e47eba2d854ab7bd29a9cc29170). In the callback function, the contract loads the value from slot 1 as an address, comparing it with msg.sender. Since the value in slot 1 has been set to the attacker's address, the verification passes, allowing them to perform unauthorized operations.
Technical Details
According to Transient Storage: Ethereum's Game-Changing Feature, transient storage is implemented through TSTORE and TLOAD opcodes, with data cleared at the end of the transaction. However, in the case of SIR.trading, the contract did not correctly manage the lifecycle of the slot, leading to data being overwritten. According to TSTORE Low Gas Reentrancy, the persistence of transient storage may introduce new reentrancy attack vectors, similar to the type confusion vulnerability in this case.
The uniswapV3SwapCallback function of the Vault contract is defined in File 1 (Vault.sol), with parameters including int256 amount0Delta, int256 amount1Delta, bytes calldata data, and state mutability as nonpayable. The function decodes the data to obtain minter, ape, vaultParams, vaultState, reserves, zeroForOne, isETH, and uses transient storage slot 0 as a reentrancy lock (1 = locked, 0 = unlocked), with slot 1 used to store the Uniswap pool address and subsequent minting amounts. According to Contract Code on Etherscan, the use of transient storage supports the EVM 'cancun' version, but no explicit tstore or tload opcodes were detected, likely hidden by compiler optimizations.
Losses and Aftermath
According to MistTrack analysis MistTrack Analysis URL, the attacker stole 17,814.8626 USDC, 1.4085 WBTC (converted to 63.5596 WETH), and 119.871 WETH, totaling 193.1428 WETH, transferred to Railgun, with initial funding of 0.3 ETH from Railgun. The attacker's address is Attacker’s Address, and the attack transaction is Attack Transaction. Total losses exceeded $300,000.
The founder of SIR.trading, Xatarrer, described this as 'the worst news' on X, stating that the team plans to continue operations but needs to rebuild user trust. According to SIR.trading begs hacker to return $255K or ‘no chance for us to survive’, the founder requested the hacker to return part of the funds to sustain the protocol.
Discussion and Implications
This event marks the first known exploitation of transient storage vulnerabilities after the Dencun upgrade, highlighting the security risks of the new feature. The persistence of transient storage can lead to data overwriting and type confusion, particularly in DeFi protocols where fund transfer operations are especially sensitive. Developers are advised to:
Avoid reusing different types of data in the same transient storage slot.
Ensure unnecessary transient storage values are cleared between function calls.
Conduct thorough security audits, especially when introducing new features after upgrades.
Additionally, this event has sparked discussions about the security of the Ethereum ecosystem. According to Ethereum’s Dencun Upgrade: A Leap Toward Cheaper Decentralized Applications, the Dencun upgrade aims to reduce Layer 2 transaction fees, but security enhancements must parallel functional innovations.
Conclusion
The hacker successfully replaced the Uniswap pool address by exploiting the type confusion vulnerability in transient storage, stealing funds from the SIR.trading protocol. This case emphasizes the critical nature of transient storage management in smart contract development, necessitating enhanced security measures to protect the DeFi ecosystem in the future.
Impact and Implications
This vulnerability underscores the dangers of managing transient storage, particularly avoiding the reuse of different types of data in the same storage slot. The attacker successfully bypassed the caller verification through type confusion, stealing funds from the protocol. This incident has also sparked discussions about the security of the Dencun upgrade, emphasizing the need for thorough security audits when introducing new features.
Key Citations
Ethereum Dencun Upgrade Explained
DeFi protocol SIR.trading loses entire $355K TVL in exploit
Fatal Residue | An On-Chain Heist Triggered by Transient Storage
Transient Storage: Ethereum's Game-Changing Feature
TSTORE Low Gas Reentrancy
Ethereum’s Dencun Upgrade: A Leap Toward Cheaper Decentralized Applications
Attacker’s Address
Attack Transaction
Contract Code on Etherscan
MistTrack Analysis URL
SIR.trading begs hacker to return $255K or ‘no chance for us to survive’
