A hacker discovered a vulnerability in the smart contract for the STAX project, which is built on the TempleDAO defi protocol. STAX is a liquidity provider for $TEMPLE/$FRAX.Poor access control on a function in the smart contract allowed them to withdraw 321,155 xLP tokens, which they subsequently converted to 1,831 ETH (approximately $2.34 million).This amount represents about 4% of the assets in the TempleDAO protocol. STAX replaced its homepage with a “disclaimer” about the hack, took down the project’s dApp, and urged people not to deposit into the STAX contracts.

Total loss estimated at $2,340,000.