ID:
ftx-1213
100 pts
Platform:
Type:
Category:
Method:
Data Sources:
Ethereum
Exchange
Assets
Contract Vulnerabilities
Extended Method:
Lack of restriction on the recipient address being the contract address, nor a limit on the transfer GAS Limit for ETH Tokens
Days in Operation:
1350
(3.70 Years)





100 pts each
Beosin reported that FTX was under a gas stealing attack by minting ZEN token.
The attacker deploys the arbitrage contract and then initiates an ETH withdrawal operation from FTX to the arbitrage contract. In the fallback function of the arbitrage contract, the claim/mint function of the XEN project is called to obtain XEN. As the sender of the withdrawal transaction is the FTX exchange, the FTX exchange will pay gas for the whole process. FTX does not restrict the recipient to be the contract address, nor does it impose a limit on the ETH gas limit. FTX hot wallet address will transfer a small amount of money to the attack contract, and subcontracts are created in batches. The subcontracts will self-destruct each time after execution. Then subcontract's fallback() function will initiate mint request to Xen contract.
As of now, the FTX exchange has lost a total of 81+ ETH due to the GAS theft vulnerability, and the hacker address has acquired over 100 million XEN Token and exchanged some of the XEN tokens for 61 ETH through decentralized exchanges such as DoDo, Uniswap, etc. and deposited them to the FTX as well as Binance exchanges.
DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.
Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.