FTX suffered a GAS theft attack and hackers minted XEN Token 17K times at zero cost

We know that there is a popular token called XEN recently. A large number of tokens can be minted by paying gas fees. Is there any way to let others pay the gas fees for us? Recently, a hacker is asking FTX to pay for him.

Vulnerability principle:

Attack preparation phase:

On October 10, the attacker 0x1d371CF00038421d6e57CFc31EEff7A09d4B8760 deployed an attack contract on the chain (eg: 0xCba9b1Fd69626932c704DAc4CB58c29244A47FD3)

Attack Phase:

The FTX exchange withdrawal hot wallet address (0xC098B2a3Aa256D2140208C3de6543aAEf5cd3A94) continuously transferred small amounts of ETH of about 0.0035 ETH to the attack contract, as shown in the figure below:

Further checking the transaction details, each transaction attack contract creates 1 to 3 sub-contracts, which first perform the mint or claim of XEN Token. Eventually, these contracts will self-destruct. The gas fees for these operations are paid by the FTX hot wallet address.

Attack loss:

As of now, FTX Exchange has lost a total of 81+ ETH due to the GAS theft vulnerability . The hacker address has obtained more than 100 million XEN Tokens and exchanged some XEN tokens for 61 ETH through decentralized exchanges such as DoDo and Uniswap, and deposited them into FTX and Binance exchanges.

We have conducted on-chain monitoring of the attack and currently only perceive that FTX exchange is facing such an attack. However, the GAS stealing attack against FTX is still ongoing. The following is the contract address deployed by the attacker:

0xcba9b1fd69626932c704dac4cb58c29244a47fd3

0x6a6474d79536c347d6df1e5f1ce9be12613a13c6

0x51125a7d015eddc3dbef138a39ba091863d1f155

0x6438162e69037c452e8af5d6ae70db1515324a3d

0xb69d4de5991fa3ded39c27ed88934a106f0af19e

0x8b2550add3c5067ca7c03b84e1e37b14b35aa1e5

0x2e1891de1e334407fafaab09ac545bb9e4099833

0xebe5cccc75b4ec5d6d8c7a3a8cee0d8c0e821584

0xcf0da9cea8403ff1e3ed6db93f3badc885c24522

0x524db09476bb87b581e1c95fbf37383661d1829a

0x1afd71464dd7485f8b3cea7c658c6a1e2b3e77a4

0xfc3ee819f873050f7f3bbce8b34ba9df4c44b5d0

0xb6bdf9eb331d0109dd3ba1018f119c59341fbb40

0x8e2b77c3c8d6e908aea789864e36a07bea1aaf58

0x46666a93b1f83b4c475b870dc67dc0dbd8a16607

0x15e5bf7f142ffa6f5eb7e1a30725603c97c2d0d6

0x6845eebc315109a770dcc7a43ed347405a82e94b

Vulnerability Analysis:

• FTX wallet is safe: There is no restriction on the recipient address being the contract address. There is no restriction on the transfer GAS Limit of ETH native tokens. Instead, the estimatedGas method is used to evaluate the handling fee. This method results in the GAS LIMIT being mostly 500,000, which is 24 times higher than the default value of 21,000.

• FTX withdrawal security: There are a large number of small transfers from the same withdrawal address in the withdrawal from FTX hot wallet address. This is an obvious abnormal withdrawal event.

• FTX business security: FTX has no transaction fees for withdrawing coins, which makes it extremely convenient for attackers to steal at zero cost.