# TempleDAO's STAX Contract Hack Investigation

<figure><img src="/files/hj14Gpd91id8XinMjCbm" alt=""><figcaption></figcaption></figure>

## Exploit overview <a href="#fa2a" id="fa2a"></a>

On October 11, 2022 the DeFi protocol TempleDAO was exploited. About $2,3M worth of funds were withdrawn from the platform contract at that time. The amount is 4% of the total amount of funds involved in the TempleDAO. The attacker then moved the funds to [TornadoCash](https://www.coindesk.com/tech/2022/10/17/templedao-exploiter-moves-ether-worth-over-25m-to-tornado-cash/).

Here is the invocation flow of the transaction <https://phalcon.blocksec.com/tx/eth/0x4b119a4f4ba1ad483e9851973719f310527b43f3fcc827b6d52db9f4c1ddb6a2>

The account of a hacker was linked to Binance as per [this tweet](https://twitter.com/officer_cia/status/1579843881050730499).

## What happened? <a href="#d1df" id="d1df"></a>

As it can be observed at the invocation flow the attacker used the privileged *migrateStake* function to gain access to the funds that he was not supposed to.

321154 *xLP* tokens were withdrawn from the *xLP Staking contract.* Then xLP tokens were swapped for *$TEMPLE* and *$FRAX* tokens. *$TEMPLE* tokens were then sold for *$FRAX* tokens. As the result hacker ended up with *$FRAX* tokens which then were moved to TornadoCash in multiple transactions.

Watch transaction history of this address for exact transaction details <https://etherscan.io/address/0x2b63d4a3b2db8acbb2671ea7b16993077f1db5a0>

## The root of the problem <a href="#f6cb" id="f6cb"></a>

**Smart-contract programmers mistake.** In Solidity programming language there are function modifiers that define access restrictions in most cases.

As it is shown on the code snipped above there is an “onlyOwner” modifier on a privileged function which defines that only special account with “owner” privileges can use this function.

The same access restriction modifier should have been used on *migrateStake()* function. However the smart-contract developer forgot to add it.

## Conclusions <a href="#id-8c07" id="id-8c07"></a>

It can be concluded that the contract was not properly tested and the code review was not conducted.

The issue was very easy to avoid if even a junior-level solidity developer would have to review the code before deployment.

The issue could be fixed easily by just adding the modifier before code deployment.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://callisto-network.gitbook.io/callisto-network/hack-investigation-dept./templedaos-stax-contract-hack-investigation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.