$550 000 USD

APRIL 2024

GLOBAL

XBANK FINANCE

DESCRIPTION OF EVENTS

"The Non-Custodial Liquidity Market Protocol Built on zkSync Era"

 

"xBank manages deposits for lenders and facilitates lending of the deposited asset for borrowers while performing appropriate risk management to protect the lenders from risks of illiquidity and insolvency."

 

"xBank is forked from Compound Finance, whose smart contracts were audited and carefully developed. Compound has never experienced any exploitation, and both xBank’s and Compound’s smart contracts have consistently operated as intended."

 

"According to feedback from multiple community members, the zkSync ecosystem lending platform @xBankFinance is suspected of a rug pull. Currently, the official account displays that it has been frozen, and the platform's liquidity is reduced to single-digit assets."

 

"zkSync's ecosystem lending platform xBankFinance suspected of being a Rug pull. According to feedback from multiple community members, zkSync's ecosystem lending platform xBankFinance is suspected of being a Rug pull. Currently, the official announcement indicates that the account has been frozen, and the platform's liquidity is only left with single-digit assets."

 

"@xBank_Finance was unfortunately exploited by a malicious actor." "We are trying to get hold of the exploiter to offer whitehat bounty to return the funds. A post-mortem analysis is being conducted. We sincerely appreciate your patience and understanding during this time."

 

"It is with regret that we inform you that xBank Finance was exploited. We have conducted a thorough investigation into the issue and have found that the exploiter conducted a Precision Loss attack on xBank and have netted a total off ~$550,000."

 

"All of xBank Finance’s depositors are affected." "Total Impact: 46,001.368248 USDC, 0.57374109 WBTC, 149.884669041911623518 ETH"

 

"The exploiter conducted a flashloan of $7M USDC from Syncswap & deposited them into ZeroLend to borrow 2,000 WETH using his first contract, which we will refer to as “Evil Contract #1”

 

The exploiter unwrapped 2,000 WETH to ETH and deposited the whole amount to xBank Finance The exploiter then borrowed ~49,000 USDC, 0.57 BTC, and 1,622.43 ETH from xBank and transferred 1,622.43 ETH to another contract, which we refer to as “Evil Contract #2”.

 

With the funds in Evil Contract #2, the exploiter deposited a certain amount of ETH into xBank to receive an equivalent value in xETH, a receipt token for ETH deposits on the platform. Later, they manipulated the exchange rate of xETH by exploiting a precision loss through a loop.

 

Initially, Evil Contract #2 deposited 0.000000000200477909 ETH to obtain precisely 0.00000001 xETH (exchange rate: 2.0047790740972892e+26). Following this, Evil Contract #2 invoked the redeemUnderlying function with 0.000000000400955813 ETH as input. Due to truncation of decimals on the blockchain, the contract miscalculated the required shares, resulting in a redemption of more ETH than intended. Normally, this would be inconsequential as the surplus amount is negligible. Evil Contract #2 iterated these steps, progressively reducing the xETH to ETH conversion until Evil Contract #1’s account became liquidatable, as xETH is used in the calculation of the liquidation formula. After finding out that Evil Contract 1 account is liquidatable, Evil Contract 2 then liquidated Evil Contract 1 and repaid 811.21892949010806335 ETH.

 

After seizing all assets of Evil Contract 1 account, Evil Contract 2 redeemed all shares and got 2,149.88 ETH back, then returned 2,000 ETH loan back to ZeroLend to withdraw deposit of $7M USDC to return to SyncSwap.

 

Through this process, the exploiter was able to make a profit of 46,001.368248 USDC, 0.57374109 WBTC, and 149.884669041911623518 ETH from the exploit."

 

"We have already reached out to the exploiter, to offer a whitehat bounty in an effort to get the users’ funds back.

 

The team will continue to investigate this exploit further, so we will continue to pause borrowing and deposit. We will keep you posted on the progress, and we sincerely appreciate your patience and understanding."

 

"Dear 0xfa9d342a222f1e1052a9eea73d35e4eeba045729, We are reaching out to you from xBank Finance regarding the recent exploitation of our protocol. We understand that there may have been underlying circumstances leading to your actions, and we wish to extend an opportunity for resolution that benefits both parties involved. In light of this, we kindly request that you to return the funds obtained through the exploitation of our platform. As a gesture of appreciation for your cooperation and assistance in strengthening our security measures, we are prepared to offer a white hat bounty equivalent to 10% of the exploit value, amounting to $75,981 Your willingness to engage in this process is greatly appreciated, and we are open to further discussions to ensure a mutually beneficial outcome for all parties involved. Thank you for your attention to this matter, xBank Finance"

 

"The exploiter unfortunately chose not to cooperate, so now we can assume he’s a blackhat. We are currently tracking his wallet, and while he has not moved the exploited funds, all hope is not lost. Once the exploiter starts moving funds, he will leave more trail, where we can get leads to uncover his track and identity."

 

"We’re in touch with Seal 911, a team of security research, who is helping us keep an eye on the exploiter. Exploiter, if you’re reading this, it’s not too late to return the funds. Otherwise, mark our words, we will make you pay. You will spend the rest of your life running, and you will one day be eventually tracked down"

A non-custodial liquidity market protocol called xBank Finance, built on zkSync technology, facilitates lending and borrowing while prioritizing risk management. Despite being based on Compound Finance's audited and well-developed smart contracts, xBank Finance experienced an exploit, resulting in a significant loss of funds, affecting all depositors. The exploit involved complex maneuvers, including flash loans and precision loss attacks, resulting in the exploiter profiting from the manipulation of exchange rates. Despite efforts to negotiate with the exploiter and offer a white hat bounty, they refused to cooperate, leading the team to classify them as a black hat. Efforts to track and recover the funds are ongoing, with external security teams involved in monitoring the situation. The team issues a warning to the exploiter, emphasizing their determination to pursue legal action and ensure accountability for the breach.

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.