Fatal Residue: A $300,000 on-chain Attack Event Originating from Transient Storage

On March 30, 2025, a security monitoring system detected that a leveraged trading project on the Ethereum链上 was attacked, resulting in losses of over $300,000 in assets. The security team conducted an in-depth analysis of this incident and is now sharing the results as follows:

Background

The Solidity version 0.8.24 (to be released in January 2024) introduces transient storage features based on EIP-1153. This is a new data storage location designed to provide developers with a low-cost, transaction-effective temporary storage method.

The main features of transient storage include:

1. Low gas cost: The gas cost for TSTORE and TLOAD operations is fixed at 100.
2. Transaction Persistence: Data remains valid throughout the transaction.
3. Automatic clearing: After the transaction ends, the transient storage is automatically reset to zero.

Source of Attack

The root cause of this incident is that the values used for transient storage with tstore in the function were not cleared after the function call ended. This allowed attackers to exploit this characteristic to construct specific malicious addresses, bypassing permission checks to withdraw tokens.

Attack Process

1. The attacker creates two malicious tokens A and B, creates pools for these two tokens on a DEX and injects liquidity, where token A is the attack contract.

2. The attacker calls the initialize function of the Vault contract to create a leveraged trading market APE-21 with A token as the collateral token and B token as the debt token.

3. The attacker calls the mint function of the Vault contract, depositing the debt token B to mint the leveraged token APE. During this process, two transient storage operations are involved: first storing the address of a certain DEX pool, and then storing the quantity of the minted tokens.

4. The attacker creates a malicious contract through a special method, with an address that is the same as the value of the second transient storage.

5. The attacker directly calls the callback function of the Vault contract through the malicious contract to transfer tokens. Since the values in the transient storage have not been cleared, the identity check for the caller is incorrectly passed.

6. Finally, the attacker profits by calling the callback function of the Vault contract through an attack on the contract (Token A), transferring out other tokens (such as WBTC, WETH) from the Vault contract.

Capital Flow Analysis

According to the analysis of on-chain analysis tools, attackers stole approximately $300,000 worth of assets, including 17,814.8626 USDC, 1.4085 WBTC, and 119.871 WETH. These assets were subsequently consolidated and converted into WETH, ultimately transferred to a certain privacy trading protocol.

The attacker's initial funds came from the 0.3 ETH transferred in from the privacy trading protocol.

Summary and Recommendations

The core of this attack lies in the fact that the attacker exploited the characteristic of transient storage, which maintains a constant value throughout the entire transaction, thereby circumventing the permission verification of the callback function to profit. To prevent similar situations from occurring, it is recommended that the project team:

1. Immediately use tstore(key to clear the value in transient storage after the function call ends according to business logic.
2. Strengthen contract code auditing and security testing.
3. Use the newly introduced features with caution and fully understand their potential risks.