FTX Loses 100 Million XEN Tokens to GAS Theft Vulnerability

• Bad actors mint XEN tokens for free while FTX pays for the transaction.
• The exchange has lost above 81 ETH due to the GAS theft vulnerability.
• A vulnerability assessment suggested that FTX has no restriction on GAS transfer.

The XEN token, a recently launched Ethereum project mintable by paying gas fees, is the latest tool hackers use to manufacture money out of thin air.

According to a Chinese report, an attacker mints the XEN token for free, while the FTX crypto exchange pays for the gas fees. The report revealed that the hacker placed a bug on a chain for the FTX’s hot wallet to continuously transfer Ethereum (ETH) tokens piecemeal to their address.

So far, the FTX exchange has lost over 81 ETH due to the GAS theft vulnerability, and the hacker’s wallet has obtained more than 100 million XEN Tokens. They have consequently exchanged some XEN tokens for 61 ETH through DoDo, Uniswap, and other decentralized exchanges. Notably, the GAS stealing attack against FTX is still in progress, according to the monitoring platform.

Furthermore, the vulnerability assessment by the platform alleged that FTX has no restriction on the transfer GAS limit of ETH’s native token. It said FTX used the “estimateGas” method to evaluate the handling fee, resulting in most of the GAS limit being 500,000, which is 24 times higher than the default value of 21,000.

Additionally, it noted that the frequent number of small transfers with the same address from the FTX hot wallet was an obvious abnormal event that its system should have flagged.

In related news, the Binance Chain bridge was exploited last week, with over half a billion dollars lost in the event.