QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$12 000 USD
SEPTEMBER 2023
GLOBAL
BANKX
DESCRIPTION OF EVENTS
BankX is a financial platform centered around a stablecoin called XSD, designed to offer individuals greater financial freedom. The platform allows users to mint XSD stablecoins, offering them an opportunity to earn rewards. One key feature of BankX is its focus on providing a deflationary token, known as the BankX Token, which aims to increase in value over time. BankX also offers various services, including the ability to buy NFTs, participate in a leaderboard for competitive rewards, and engage in a referral program to earn additional incentives.
The platform operates with a minting interest rate of 5.28%, ensuring that users who mint XSD can benefit from passive earnings. BankX is built on a decentralized system, allowing for financial independence without relying on traditional banking structures. It provides a comprehensive set of resources, including documentation and terms of use, to help users understand the platform. Whether you are looking to mint XSD, purchase NFTs, or participate in its rewards program, BankX offers a unique solution for individuals seeking to manage their finances in the crypto space.
BankX introduces XSD, a stablecoin pegged to the price of 1 gram of silver, providing a unique way to store value and earn interest. Unlike traditional stablecoins, XSD is crypto-backed and designed to eliminate the risk of liquidation. This ensures that users can mint and hold XSD without worrying about the typical volatility seen in many digital assets. The platform allows users to track XSD's value against silver, providing a more stable alternative for crypto investors.
BankX offers a variety of purposes and ways for users to profit, catering to different levels of expertise in the crypto space.
For beginners, BankX allows users to create the XSD stablecoin and earn interest. Additionally, users can lock up BankX tokens in Token Lockup Rewards, which generates interest in the form of more BankX tokens. This is a simple way for beginners to start earning and participating in the ecosystem.
For intermediate users, BankX introduces the concept of "looping," where users can use the stablecoin they minted to buy more collateral, mint more XSD, and earn even more interest. This process can be repeated multiple times to maximize returns.
For advanced users, BankX provides opportunities to engage with liquidity pools and the Integrated Protocol Owned Liquidity (IPOL) system. Users can earn rewards by providing liquidity or adding collateral when the stablecoin is in a deficit. Additionally, BankX supports arbitrage opportunities where users can profit by maintaining the peg of XSD. By burning BankX tokens or XSD at the right times, users can buy tokens at a discount, mint more stablecoin, or lock up tokens for additional rewards.
"In times of collateral deficit (which is usually caused by a drop in the price of the collateral used to mint XSD), the system gives incentives in the form of bonus BankX tokens and the XSD stablecoin for you to add collateral to the stablecoin. Instead of liquidation, we offer incentives to add collateral instead."
The BankX smart contract contains a re-entrancy vulnerability which allows "an attacker to manipulate the pool’s price by burning XSD tokens in a way that distorts the price".
"Both are caused by a re-entry issue and then triggered burnpoolXSD(), which also changes the swap K number."
"The attacker executed a flash loan, borrowing a large amount of WETH. They swapped WETH to XSD and then swapped XSD back to WETH, transferring the required WETH back to the flash loan provider."
The project team’s XSD-WBNB pool on BSC was hacked, with the attack resulting in the loss of approximately 3800 ETH worth of BNB, which was then exchanged for a profit of 57 BNB. The core vulnerability lies in the lack of non-reentrancy protection in the swapXSDForETH function, allowing an attacker to manipulate the pool’s price by burning XSD tokens in a way that distorts the price. The attack involved a series of flash loans and re-entry functions, exploiting the system's reentrancy flaw to perform multiple swaps and burns to profit from price manipulation. The attacker used the burnpoolXSD function within the swapXSDForETH call, burning a large amount of XSD tokens to push the price higher, then dumping the inflated XSD back into the pool for a profit.
profit of 57 BNB
56.964339410199718035 x 212 = 12076.43995496234022342
There does not appear to be any reaction from the project or community. BankX was not very active on their Twitter/X at the time.
The pricing of XSD currently varies across different blockchains, with discounts on the current price of 1 gram of silver depending on the network. For example, XSD on Ethereum is priced at $0.23 (a 78.53% discount), while on Arbitrum, it’s only $0.03 (a 97.03% discount). Other networks like BNB, Polygon, and Optimism also offer significant discounts on the XSD price, ranging from 92.14% to 95.13%. These varying prices across blockchains present users with opportunities to acquire XSD at different rates, maximizing potential savings.
It is unclear when or if BankX is going to notice and resolve the vulnerabilities in their smart contract.
BankX is a decentralized financial platform focused on its stablecoin, XSD, which is pegged to the price of 1 gram of silver, offering users a unique way to store value and earn interest. The platform allows minting of XSD, earning rewards, and participating in activities like buying NFTs, joining a leaderboard, and a referral program. In September 2023, BankX faced a security breach where its XSD-WBNB pool on BSC was attacked, resulting in the loss of about 57 BNB. The attack exploited a re-entrancy vulnerability in the platform’s smart contract, allowing the attacker to manipulate XSD prices by burning tokens and profiting from price manipulation. It remains uncertain when or if BankX will address these vulnerabilities.
Attack Transaction - BSCScan (Mar 20)
Tikkala Research - "Token $XSD was attacked again @BankXio, the victim contract 0xaadae9117df8b5d584378a41a105cc4862a16e99 lost about ~57BNB and it worth about $32k." - Twitter/X (Mar 20)
Tikkala Research - "It's not a new attack; the vulnerability is the same as before. The latest hack transaction and the previous hack transaction are similar. Both are caused by a re-entry issue and then triggered burnpoolXSD(), which also changes...ter/X (Mar 20)
Historic BNB Pricing Data - Investing.com (Mar 20)
Flash Loan - Web3Sec (Mar 20)
Introduction to the Hack Incident - bixia1994 (Mar 20)
