
CEX Risks and How to Mitigate Them
A summary review of evaluating the risk of centralized exchanges and what to do about these risks.
Youtube Video
Playing the video that you've selected below in an iframe
On October 13, 2022, FTX was the target of a gas-stealing attack, in which the hacker took…
On October 13, 2022, FTX was the target of a gas-stealing attack, in which the hacker took advantage of the vulnerability by minting XEN tokens 17,000 times at zero cost. The amount of loss roughly corresponds to 81 ETH.
FTX is a centralized cryptocurrency exchange that specializes in derivatives and leveraged products. Its key product offerings include futures, leveraged tokens, options, MOVE contracts, and spot markets.
XEN is an ERC-20 token built on the Ethereum blockchain. It is founded on the fundamental principles of cryptocurrency, such as decentralization, self-custody, transparency, and trust through consensus. The XEN smart contract is immutable, lacks admin keys, and is open source.
The reason for this attack is that FTX does not limit the withdrawal transaction's gas limit while the withdrawal fee is free.
The attacker at first deploys the arbitrage contract and then performs an ETH withdrawal from FTX to the arbitrage contract.
The mint function of the XEN project is used in the fallback function of the arbitrage contract to acquire $XEN tokens.
The FTX exchange is the sender of the withdrawal transaction, thus the exchange itself will cover all gas costs.
FTX does not require the recipient to be the contract address, nor does it limit the amount on ETH gas.
A small amount of ETH will be transferred to the attack contract via the FTX hot wallet address , and subcontracts are created in batches.
The XEN token's price has dropped by more than 33%. Through the loophole, the attacker has generated over 100 million XEN tokens. According to reports, the XEN token is also being targeted by a Sybil attack.
Anything that is practically quantifiable cannot be infinite. Gas limits could be set arbitrarily high, but this would have numerous consequences. The transaction size is bounded by the block size. As a result, specifying a gas limit greater than the block's gas limit is pointless.
Each block has a gas limit. A block gas limit has the advantage of preventing attackers from creating an infinite transaction loop. If a transaction's gas usage exceeds this limit, the transaction will fail.
Our security team at Neptune Mutual can validate your platform for DNS and web-based security, smart contract reviews, as well as frontend and backend security. We can offer you a solution to scan your platform and safeguard your protocol for known and unknown vulnerabilities that have the potential to have catastrophic long-term effects. Contact us on social media if you are serious about security and have the budget, desire, and feeling of responsibility to do so.
Neptune Mutual project safeguards the Ethereum community from cyber threats. The protocol uses parametric cover as opposed to discretionary insurance. It has an easy and reliable on-chain claim process. This means that when incidents are confirmed by our community, resolution is fast.
Join us in our mission to cover, protect, and secure on-chain digital assets.
Official Website: https://neptunemutual.com
Blog: https://blog.neptunemutual.com/
Twitter: https://twitter.com/neptunemutual
Reddit: https://www.reddit.com/r/NeptuneMutual
Telegram: https://t.me/neptunemutual
Discord: https://discord.gg/2qMGTtJtnW
YouTube: https://www.youtube.com/c/NeptuneMutual
LinkedIn: https://www.linkedin.com/company/neptune-mutual