TRUST Staking Vault Exploit Drains 85M Tokens on Base

Background and Context

The exploit originated from a structural mismatch in the TRUST vault’s smart contract design. The system allowed users to lock deposits for up to 12 months in exchange for boosted staking shares. For example, the longest lock period minted sTRUST shares at a 25 to 1 ratio while also issuing 1 to 1 principal receipts in TRUST tokens.

However, the vault contract still retained standard ERC 4626 functions. These inherited functions remained fully accessible and bypassed the project’s custom withdrawal logic. Therefore, users could technically withdraw funds through the generic withdraw function instead of using the intended position specific mechanism. Although the team initially suspected a user interface update released one day earlier, investigators later confirmed that the vulnerability existed entirely on chain since deployment.

Importantly, this marked the first security incident in the TRUST staking system’s 14 month operational history. The contract had previously passed an independent audit and handled a peak total value locked of around $1.5 million without reported issues.

Mechanics of the Exploit

The attacker began executing the exploit at approximately 21:54 UTC on March 14. First, they called the createPosition function to deposit tokens and mint boosted sTRUST shares. Immediately afterward, they invoked the inherited withdrawal function to extract a larger token amount than originally deposited. By repeating this loop across multiple transactions, the attacker compounded gains quickly.

Transaction records show that staking amounts escalated from roughly 3 million to more than 36 million $TRUST in successive steps. In total, the attacker deposited about 110.9 million tokens while withdrawing approximately 196.4 million tokens. As a result, the vault became significantly undercollateralized before the team paused operations.

Team Response and Recovery Plan

Following the TRUST staking vault exploit, the development team paused the vault through transaction 0xc30cdcfd284489541f493bc558e3c3a1cf0b2c10ff6d05b9d0af2be4ad7e61d.They secured the remaining funds and conducted a full on chain reconstruction of events. In a comprehensive postmortem published on March 16, the Trust Me Bros team committed to transparency and confirmed that all affected wallets will receive refunds.

Specifically, users will recover their original $TRUST principal along with accrued staking yield based on an upcoming snapshot. The team expects to complete refunds within the week. Meanwhile, the founder issued a public apology and indicated that this incident may discourage him from deploying future smart contracts.