Beosin reported that FTX was under a gas stealing attack by minting ZEN token.

The attacker deploys the arbitrage contract and then initiates an ETH withdrawal operation from FTX to the arbitrage contract. In the fallback function of the arbitrage contract, the claim/mint function of the XEN project is called to obtain XEN. As the sender of the withdrawal transaction is the FTX exchange, the FTX exchange will pay gas for the whole process. FTX does not restrict the recipient to be the contract address, nor does it impose a limit on the ETH gas limit. FTX hot wallet address will transfer a small amount of money to the attack contract, and subcontracts are created in batches. The subcontracts will self-destruct each time after execution. Then subcontract's fallback() function will initiate mint request to Xen contract.

As of now, the FTX exchange has lost a total of 81+ ETH due to the GAS theft vulnerability, and the hacker address has acquired over 100 million XEN Token and exchanged some of the XEN tokens for 61 ETH through decentralized exchanges such as DoDo, Uniswap, etc. and deposited them to the FTX as well as Binance exchanges.