As we all know, there is a hot token called XEN. The participants just pay the gas fee that can return with the token XEN. So is there a way to get someone else to pay the gas fee for us instead? The answer is YES , recently we found a hacker who was using FTX to pay for him.
On October 10, attacker 0x1d371CF00038421d6e57CFc31EEff7A09d4B8760 deployed the attack contract on the chain (e.g., 0xCba9b1Fd69626932c704DAc4CB58c29244A47FD3)
The FTX exchange outgoing hot wallet address (0xC098B2a3Aa256D2140208C3de6543aAEf5cd3A94) makes successive small ETH transfers of around 0.0035 ETH to the attack contract, as shown below.
Looking further into the transaction details, each transaction attack contract creates 1 to 3 subcontracts. The attack first performed Mint or Claimed of XEN Token, and these contracts will self-destruct eventually. All the gas fees related to the transactions are paid by FTX hot wallet addresses.
As of now, the FTX exchange has lost a total of 81+ ETH due to the GAS theft vulnerability, and the hacker address has acquired over 100 million XEN Token and exchanged some of the XEN tokens for 61 ETH through decentralized exchanges such as DoDo, Uniswap, etc. and deposited them to the FTX as well as Binance exchanges.
We have monitored the on-chain attack and currently only perceive that the FTX exchange is facing such an attack. However, the GAS theft attack against FTX is still ongoing. The following are the addresses of the contracts deployed by the attackers.
FTX Wallet Security: There is neither any restriction on the recipient address being the contract address, nor a limit on the transfer GAS Limit for ETH Tokens, but rather the estimateGas method is used to evaluate the processing fee, which results in a GAS LIMIT of mostly 500,000, exceeding the default value of 21,000 by a factor of 24.
FTX withdrawal security: there are a large number of small transfers from FTX withdrawal hot wallet address to the withdrawal of funds from the same withdrawal address. This is an obvious withdrawal anomaly.
For more info, please subscribe: