In today's edition of YIYL, (You Invest, You Lose), we head back to the tired old trope that is DEFI protocols getting hacked, I mean is there anything more cliche at this point? I put money in a smart contract that someone paid some auditing firm to give them a stamp and now it's suddenly secure. 

It's a lesson DEFI bros, degen traders, and the naive shitcoin trader will have to learn the hard way and you know what's the funniest part of all of this, if those making away with the funds don't cash it out to stablecoins or fiat, you know it's going directly into bitcoin.

So in theory you could front-run all of this nonsense by stacking sats, but hey, that's just my theory on it all. 

## Yield farming is far from charming

I know the idea of making insane APRs sounds attractive to gamblers and those looking to get ahead without doing any real work, so there will always be a cohort of people interested in these projects, some might strike it lucky while most will get their clock cleaned as they stepped to Mike Tyson in his prime.

The latest example of this comes from TempleDOA, another convoluted protocol with a bunch of tokens that make no fucking sense. The DOA seems to be the primary Liquidity provider with its own shitcoin and then it has a DEFI service STAX Finance exists with another shitcoin you can use to farm rewards. 

STAX is a liquidity provider for $TEMPLE/$FRAX.

If you want to read how their bullshit protocol works you can find it [here](https://templedao.medium.com/the-temple-flywheel-part-ii-4ef4846b8fa1). I have no interest in rehashing this propaganda and why it's doomed to fail, but in the spirit of allowing you to do your own research, I never shy away from referencing the sources. 

Anyway, this protocol managed to stack up to 100 million in value locked which got it some attention. Now anyone with a brain can tell you TVL is a bunch of rehypothecated dog shit of a metric but hey people like it. 

Now when you're a 100 million dollar protocol, you're going to get people sniffing around looking to secure that bag, and secure it they did.


![stax.png](https://images.hive.blog/DQmVTY9cFe6QKeUFQn9RvXyxY2XXot1n2k71bH8yvKF81fG/stax.png)

## Racks taken from STAX

A user of the service discovered a vulnerability in the smart contract for the STAX project, which is built on the TempleDAO defi protocol. 

Due to poor access control on a function in the smart contract, it allowed the user to withdraw 321,155 xLP tokens, which they subsequently converted to 1,831 ETH (approximately $2.34 million).

https://twitter.com/BlockSecTeam/status/1579843881893769222

This amount represents about 4% of the assets in the TempleDAO protocol which they say is within their margins to survive. 

However, STAX did "pause" its decentralize service, lol where have we heard that one before? It replaced its homepage with a "disclaimer" about the hack, took down the project's dApp, and urged people not to deposit into the STAX contracts.

> “Earlier today on Tuesday Oct. 11, a series of txs routed through STAX led to a total of 321,154 xLP tokens being taken from the xLP Staking contract at 13:08 UTC time. These tokens were swapped for precisely 1,418,303 TEMPLE and 1,262,438 FRAX; 1,418,303 TEMPLE were sold for FRAX.”

https://twitter.com/staxfinance/status/1579855195693256704

## Just the cost of doing business

TempleDAO has emphasized the limited scope of the attack, and issued a statement that everything is fine although we lost 4% of our treasury leave your funds with us, the 

> “vault contracts share no common code with STAX, have been audited by PeckShield, and remain secure.”

## Time for damage control and running to papa binance for help

TempleDAO says that the situation is now under control and that the exploiters won’t be able to cause further harm. It's now focusing on trying to get back some of the funds by working with Binance since the explorer’s account is associated with the crypto exchange.

> “We are following up with Binance and will initialize a white hat bounty for the exploiter. We are increasing our existing bounty with Hats Finance and establishing secure communications if the hacker chooses to return funds and receive a legal bounty.”

But they wait a minute, I thought you were decentralised, how does a defi service collaborate with a centralised service to try and source the funds that were taken from executable code? 

I thought code is law? 

**Sources:**

- [coindesk.com](https://www.coindesk.com/business/2022/10/11/defi-protocol-temple-dao-struck-by-23m-exploit/)
- [dailyhodl.com](https://dailyhodl.com/2022/10/12/templedao-stax-finance-hacked-in-2300000-exploit/)
- [cryptobriefing.com](https://cryptobriefing.com/templedao-stax-hacked-for-2-3-million/)
- [cointelegraph.com](https://cointelegraph.com/news/templedao-exploit-results-in-2m-loss)


## Have your say

What do you good people of HIVE think? 

So have at it my Jessies! If you don't have something to comment, "I am a Jessie."

## Let's connect

If you liked this post, sprinkle it with an upvote or esteem and if you don't already, consider following me @chekohler  and subscribe to my [fanbase](https://hive.vote/dash.php?i=2&fan=chekohler)


| Earn Free bitcoin & shop | Earn Free Bitcoin & shop | Claim Free Bitcoin & Shop |
| -------- | -------- | -------- |
| [![lightning.jpg](https://files.peakd.com/file/peakd-hive/chekohler/AJj57GEmQ6xZYk9NchEZHqq5HAQRZFFFPqiXNUQcG1mj1nPsisLAKe7peuKEs8p.png)](https://LightningNetworkStores.com/af/T1MCDJzJKbV) | [![Smiles.jpg](https://files.peakd.com/file/peakd-hive/chekohler/AJpon7mDATX1gYTogQmZbNK33Wpp5pZFdLYdXSGp7eo4kHQQr3V7Zk5VcAJwPrg.png)](https://join.smilesbitcoin.com/cesc04880)| [![thebitcoincompany.jpg](https://files.peakd.com/file/peakd-hive/chekohler/AJkWLuDyRUh1FiEzL8f7dGYnafNMRK8BLbMMNREKn13bKFr2iRm7Ft2idpA6oGX.png)](https://thebitcoincompany.com/refer/?code=8SW11Z)| 





Posted Using [LeoFinance <sup>Beta</sup>](https://leofinance.io/@chekohler/stax-finance-hacked-for-usd2-3-million)