FTX suffers GAS theft attack, hackers mint XEN Token 17K times with 0 cost
opang
0x9C26
X-explore
0x302a
October 13th, 2022

As we all know, there is a hot token called XEN. The participants just pay the gas fee that can return with the token XEN. So is there a way to get someone else to pay the gas fee for us instead? The answer is YES , recently we found a hacker who was using FTX to pay for him.

Vulnerability Principle

Attack preparation phase:

On October 10, attacker 0x1d371CF00038421d6e57CFc31EEff7A09d4B8760 deployed the attack contract on the chain (e.g., 0xCba9b1Fd69626932c704DAc4CB58c29244A47FD3)

Attack Phase:

The FTX exchange outgoing hot wallet address (0xC098B2a3Aa256D2140208C3de6543aAEf5cd3A94) makes successive small ETH transfers of around 0.0035 ETH to the attack contract, as shown below.

Looking further into the transaction details, each transaction attack contract creates 1 to 3 subcontracts. The attack first performed Mint or Claimed of XEN Token, and these contracts will self-destruct eventually. All the gas fees related to the transactions are paid by FTX hot wallet addresses.

Vulnerability Losses

As of now, the FTX exchange has lost a total of 81+ ETH due to the GAS theft vulnerability, and the hacker address has acquired over 100 million XEN Token and exchanged some of the XEN tokens for 61 ETH through decentralized exchanges such as DoDo, Uniswap, etc. and deposited them to the FTX as well as Binance exchanges.

We have monitored the on-chain attack and currently only perceive that the FTX exchange is facing such an attack. However, the GAS theft attack against FTX is still ongoing. The following are the addresses of the contracts deployed by the attackers.

0xcba9b1fd69626932c704dac4cb58c29244a47fd3

0x6a6474d79536c347d6df1e5f1ce9be12613a13c6

0x51125a7d015eddc3dbef138a39ba091863d1f155

0x6438162e69037c452e8af5d6ae70db1515324a3d

0xb69d4de5991fa3ded39c27ed88934a106f0af19e

0x8b2550add3c5067ca7c03b84e1e37b14b35aa1e5

0x2e1891de1e334407fafaab09ac545bb9e4099833

0xebe5cccc75b4ec5d6d8c7a3a8cee0d8c0e821584

0xcf0da9cea8403ff1e3ed6db93f3badc885c24522

0x524db09476bb87b581e1c95fbf37383661d1829a

0x1afd71464dd7485f8b3cea7c658c6a1e2b3e77a4

0xfc3ee819f873050f7f3bbce8b34ba9df4c44b5d0

0xb6bdf9eb331d0109dd3ba1018f119c59341fbb40

0x8e2b77c3c8d6e908aea789864e36a07bea1aaf58

0x46666a93b1f83b4c475b870dc67dc0dbd8a16607

0x15e5bf7f142ffa6f5eb7e1a30725603c97c2d0d6

0x6845eebc315109a770dcc7a43ed347405a82e94b

Vulnerability Analysis

  • FTX Wallet Security: There is neither any restriction on the recipient address being the contract address, nor a limit on the transfer GAS Limit for ETH Tokens, but rather the estimateGas method is used to evaluate the processing fee, which results in a GAS LIMIT of mostly 500,000, exceeding the default value of 21,000 by a factor of 24.

  • FTX withdrawal security: there are a large number of small transfers from FTX withdrawal hot wallet address to the withdrawal of funds from the same withdrawal address. This is an obvious withdrawal anomaly.

  • FTX business security: FTX withdraw coins without fees, to the attacker zero cost theft brings great convenience.

For more info, please subscribe:

Mirror: https://mirror.xyz/x-explore.eth

Twitter: https://twitter.com/x_explore_eth

Subscribe to X-explore
Receive new entries directly to your inbox.
Collectors
View
#1
#2
#3
View collectors
This entry has been permanently stored on-chain and signed by its creator.