Jun 2021 - xWin Finance Flash Loan Attack

$270 000 USD

JUNE 2021

GLOBAL

XWIN FINANCE

DESCRIPTION OF EVENTS

"xWIN is [an] Investment Platform, Index and Trading Vault, Yield Farming & Yield Optimization to make investment easier than ever." "xWin is the fund management platform built with Binance Smart Chain blockchain technology. It provides fund manager to launch the funds easily and connect to investors with hassle free. xWin provide a series of sector index funds in Binance Smart Chain. We included xWIN BSC Defi Index, xWin Binance-Peg Infra Index and xWin US-ANTG Index. There will be more sector vault[s] coming."

"xWin is the decentralized fund management platform built on Binance Smart Chain. It enables everyone who is confident in their trading/fund management skills to open their own funds. Platform users can then subscribe to those funds and earn profits. Our goal was to create a one-stop DeFi protocol, where even total beginners can profit from the biggest wealth transfer in history." "Provide new value at tokenized society from Japan, Tokyo. Our specialities are the solution of the new asset management systems by blockchain and AI." "This project is in Beta. Use at your own risk."

"The DeFi protocol xWin Finance based on Binance Smart Chain was attacked by lightning loans. The xWin Finance token XWIN has fallen by nearly 90% in 24 hours."

"On June 24, 2021 xWin Finance slippage control weakness was exploited which resulted in the theft of $270K." "A Flash Loan attack has been identified in XWIN-BNB Pancakeswap LP pool."

Steps to produce: "(1) Hacker gets a flash loan as much as 76,000 BNB, equivalent to USD 11m. (2) Hacker subscribed to the old vault PCLP-XWIN LP vault. PCPL-XWIN vault is an old version vault that allow user to participate in PCS LP farming easily by subscribing to the vault. (a) Accepting BNB from user. (b) Convert 50% of the BNB into altcoin, in this case XWIN from the PCS LP v1. (c) Perform add liquidity in PCS v1 and get the LP token. XWIN-BNB PCS LP v1 still has small liquidity that allow the swapping regardless of the volume. (d) PCLP-XWIN vault will mint PCLP-XWIN token to the user as the proof of ownership of the vault. (e) xWIN Protocol recorded the entitled referral xWIN token rewards to the referral address. (3) Hacker redeemed it by calling redeem function in xWIN protocol. Redeem function will (a) accept PCLP-XWIN token. (b) Vault will unfarmed the LP token and convert the LP token back to BNB and XWIN. (c) Vault convert all the XWIN back to the BNB and send back to user. (4) By the action in 1 and 2 mentioned above, xWIN protocol recognized the subscription of 76,000 BNB and therefore marked a 76,000 x 0.20 = 15,200 xWIN token entitlement for the referral address. (5) Hacker repeated the steps of 1, 2 and 3 as many as 20 times with total of 304,000 xWIN token. (6) Hacker sent the 304,000 xWIN token to the PCS v2 pool for swapping it to 903 worth of BNB. (7) Hacker repeated the second attack with the same logic from 1 to 6. Getting away of 104 worth of BNB."

"We are currently investigating and the XWIN deposit and withdrawal has been temporarily suspended as a matter of urgency. There is no change to the number of units you have locked, so please be patient."

To prevent this, "xWIN team will be (1) Terminating the referral fee system, (2) Terminating the rewards fee system, [and] (3) Terminating manager rewards fee system. All the rewards fee and referral fee accumulated before in the referral address will be still able to withdraw from the UI in xWIN platform." "xWIN team engage third IT security party to go through the code to particularly to this area. In addition to the immediate action plans mentioned above, xWIN team continue to access to the discontinued vault that linked to PCS v1 pool and ensure they are disconnected from the xWIN protocol."

"Thank you for your encouragement for yesterday's YouTube. Today, we are going to start building a system to return the favor, communicate with a security company, establish an overseas corporation, and resume marketing activities. Beyond the moon, we are heading for Mars!"

"[W]e have decided on the details of compensation to our community at today’s executive meeting. In conclusion, we will be giving out 1:1 xWIN tokens to all users, who staked in xWIN token and XWIN-BNB LP Token in xWIN farm based on the quantity balance staked in the protocol before the flash loan attack with locking period." "[P]lease check out our instruction video on how to register for compensation!" "The deadline is 12:00 pm (Japan time) on July 2, 2021. After the deadline, you will not be able to apply for compensation."

"On the management side, we will do our best to create a better and more convenient future of the world and the future of Japan for all of our users."

XWin Finance had an investment platform, where all assets were stored in a smart contract hot wallet.

This smart contract had an exploit, which was exploited, and $270k of user funds were taken.

HOW COULD THIS HAVE BEEN PREVENTED?

The safest storage of assets is an offline multi-signature wallet.

Check Our Framework For Safe Secure Exchange Platforms

QUADRIGA INITIATIVE

CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM

A COMMUNITY-BASED, NOT-FOR-PROFIT

$270 000 USD

JUNE 2021

GLOBAL

XWIN FINANCE

DESCRIPTION OF EVENTS

HOW COULD THIS HAVE BEEN PREVENTED?

More case studies

Mushroom Finance
Logic Error

Pods Finance
Logic Error Fixed

$270 000 USD

JUNE 2021

GLOBAL

XWIN FINANCE

DESCRIPTION OF EVENTS

HOW COULD THIS HAVE BEEN PREVENTED?

More case studies

Mushroom FinanceLogic Error

Pods FinanceLogic Error Fixed

Mushroom Finance
Logic Error

Pods Finance
Logic Error Fixed