XSurge Reentrancy Attack: Difference between revisions
(Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/xsurgereentrancyattack.php}} thumb|XSurgeThe XSurge smart contract was exploited and $5m was taken from investors. It appears that XSurge is making efforts to recompensate affected users. They put out an initial snapshot of balances to be compensated. They also completed an audit with CertiK. This is a global/international case not involving a specific country. == About XSur...") |
No edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/xsurgereentrancyattack.php}} | {{Imported Case Study 2|source=https://www.quadrigainitiative.com/casestudy/xsurgereentrancyattack.php}} | ||
{{Unattributed Sources}} | |||
[[File:Xsurge.jpg|thumb|XSurge]]The XSurge smart contract was exploited and $5m was taken from investors. | [[File:Xsurge.jpg|thumb|XSurge]]The XSurge smart contract was exploited and $5m was taken from investors. | ||
| Line 5: | Line 6: | ||
It appears that XSurge is making efforts to recompensate affected users. They put out an initial snapshot of balances to be compensated. They also completed an audit with CertiK. | It appears that XSurge is making efforts to recompensate affected users. They put out an initial snapshot of balances to be compensated. They also completed an audit with CertiK. | ||
This is a global/international case not involving a specific country. | This is a global/international case not involving a specific country.<ref name="bscdotnews-3143" /><ref name="bscscan-3144" /><ref name="xsurgedefitwitter-3145" /><ref name="moonmarktwitter-3146" /><ref name="openblocksecgithub-2342" /><ref name="xsurgedefitwitter-3147" /><ref name="blocksecteamtwitter-3148" /><ref name="unsafecalltwitter-3149" /><ref name="xsurge-3150" /><ref name="bscscan-3151" /><ref name="xsurgedefitwitter-3152" /><ref name="certik-3153" /><ref name="xsurgedefitwitter-3154" /><ref name="xsurgedefitwitter-3155" /> | ||
== About XSurge == | == About XSurge == | ||
| Line 65: | Line 66: | ||
!Description | !Description | ||
|- | |- | ||
|August 16th, 2021 | |August 16th, 2021 | ||
|Main Event | |Main Event | ||
|Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | |Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | ||
| Line 73: | Line 74: | ||
| | | | ||
|} | |} | ||
== Technical Details == | |||
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited? | |||
== Total Amount Lost == | == Total Amount Lost == | ||
| Line 92: | Line 96: | ||
== Ongoing Developments == | == Ongoing Developments == | ||
What parts of this case are still remaining to be concluded? | What parts of this case are still remaining to be concluded? | ||
== General Prevention Policies == | |||
In general, smart contract funds should be considered as a form of hot wallet. Its better to have funds in offline multi-signature storage, which could be used for the majority of funds when the team is known. When not possible, there exist protocols to provide insurance, and an industry fund can serve as an alternative to ensure investors are protected. | |||
== Individual Prevention Policies == | |||
{{Prevention:Individuals:Placeholder}} | |||
{{Prevention:Individuals:End}} | |||
== Platform Prevention Policies == | |||
{{Prevention:Platforms:Placeholder}} | |||
{{Prevention:Platforms:End}} | |||
== Regulatory Prevention Policies == | |||
{{Prevention:Regulators:Placeholder}} | |||
{{Prevention:Regulators:End}} | |||
== References == | == References == | ||
[https://www.bsc.news/post/xsurge-faces-5-000-000-exploit-despite-experienced-developers-and-promises-of-security XSurge Faces $5,000,000 Exploit Despite Promises of Security] (Aug | <references><ref name="bscdotnews-3143">[https://www.bsc.news/post/xsurge-faces-5-000-000-exploit-despite-experienced-developers-and-promises-of-security XSurge Faces $5,000,000 Exploit Despite Promises of Security] (Aug 17, 2021)</ref> | ||
[https://bscscan.com/tx/0x8c93d6e5d6b3ec7478b4195123a696dbc82a3441be090e048fe4b33a242ef09d Binance Transaction Hash (Txhash) Details | BscScan] (Aug | <ref name="bscscan-3144">[https://bscscan.com/tx/0x8c93d6e5d6b3ec7478b4195123a696dbc82a3441be090e048fe4b33a242ef09d Binance Transaction Hash (Txhash) Details | BscScan] (Aug 17, 2021)</ref> | ||
[https://twitter.com/XSURGEDEFI/status/1427388385853943812 @XSURGEDEFI Twitter] (Aug | <ref name="xsurgedefitwitter-3145">[https://twitter.com/XSURGEDEFI/status/1427388385853943812 @XSURGEDEFI Twitter] (Aug 17, 2021)</ref> | ||
[https://twitter.com/MoonMark_/status/1421218395559796738 @MoonMark_ Twitter] (Aug | <ref name="moonmarktwitter-3146">[https://twitter.com/MoonMark_/status/1421218395559796738 @MoonMark_ Twitter] (Aug 17, 2021)</ref> | ||
[https://github.com/openblocksec/blocksec-incidents/blob/main/defi/2021.md blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub] (Aug | <ref name="openblocksecgithub-2342">[https://github.com/openblocksec/blocksec-incidents/blob/main/defi/2021.md blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub] (Aug 11, 2021)</ref> | ||
[https://twitter.com/XSURGEDEFI/status/1427359459102404609 @XSURGEDEFI Twitter] (Aug | <ref name="xsurgedefitwitter-3147">[https://twitter.com/XSURGEDEFI/status/1427359459102404609 @XSURGEDEFI Twitter] (Aug 29, 2021)</ref> | ||
[https://twitter.com/BlockSecTeam/status/1427482803134894080 @BlockSecTeam Twitter] (Aug | <ref name="blocksecteamtwitter-3148">[https://twitter.com/BlockSecTeam/status/1427482803134894080 @BlockSecTeam Twitter] (Aug 29, 2021)</ref> | ||
[https://twitter.com/unsafe_call/status/1427684733304123392 @unsafe_call Twitter] (Aug | <ref name="unsafecalltwitter-3149">[https://twitter.com/unsafe_call/status/1427684733304123392 @unsafe_call Twitter] (Aug 29, 2021)</ref> | ||
[https://xsurge.net/ xSurge - True Decentralized Finance.] (Sep | <ref name="xsurge-3150">[https://xsurge.net/ xSurge - True Decentralized Finance.] (Sep 15, 2021)</ref> | ||
[https://bscscan.com/tx/0x7e2a6ec08464e8e0118368cb933dc64ed9ce36445ecf9c49cacb970ea78531d2 Binance Transaction Hash (Txhash) Details | BscScan] (Sep | <ref name="bscscan-3151">[https://bscscan.com/tx/0x7e2a6ec08464e8e0118368cb933dc64ed9ce36445ecf9c49cacb970ea78531d2 Binance Transaction Hash (Txhash) Details | BscScan] (Sep 19, 2021)</ref> | ||
[https://twitter.com/XSURGEDEFI/status/1431478123854499844 @XSURGEDEFI Twitter] (Sep | <ref name="xsurgedefitwitter-3152">[https://twitter.com/XSURGEDEFI/status/1431478123854499844 @XSURGEDEFI Twitter] (Sep 19, 2021)</ref> | ||
[https://www.certik.org/projects/surgeeth CertiK Security Leaderboard - Surge ETH] (Sep | <ref name="certik-3153">[https://www.certik.org/projects/surgeeth CertiK Security Leaderboard - Surge ETH] (Sep 19, 2021)</ref> | ||
[https://twitter.com/XSURGEDEFI/status/1436529806145949698 @XSURGEDEFI Twitter] (Sep | <ref name="xsurgedefitwitter-3154">[https://twitter.com/XSURGEDEFI/status/1436529806145949698 @XSURGEDEFI Twitter] (Sep 19, 2021)</ref> | ||
[https://twitter.com/XSURGEDEFI/status/1431478736008929283 @XSURGEDEFI Twitter] (Sep | <ref name="xsurgedefitwitter-3155">[https://twitter.com/XSURGEDEFI/status/1431478736008929283 @XSURGEDEFI Twitter] (Sep 19, 2021)</ref></references> | ||
Latest revision as of 12:29, 3 May 2023
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
The XSurge smart contract was exploited and $5m was taken from investors.
It appears that XSurge is making efforts to recompensate affected users. They put out an initial snapshot of balances to be compensated. They also completed an audit with CertiK.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14]
About XSurge
XSurge describes itself as "The Defi Revolution". "Explore our fast growing smart chain ecosystem that fosters innovation and encourages a truly decentralized future through on-chain liquidity, and fully renounced ownership."
"Each transaction triggers a fee that raises the price of Surge relative to its underlying asset. That means Buys, Transfers, and Sells raise the price." "6% fee to buy, 6% fee to sell, 7% fee to navigate between tokens (i.e., SETH to SBTC) & 2% fee for wallet-to-wallet transfers."
"In accordance with the our Security First Approach, we have undergone and completed third party verification of our SurgeETH Token Contract. The audit was conducted through Certik, a highly esteemed blockchain auditor. Using their in-house formal verification technology, Certik provides a thorough assessment that outlines vulnerability ranking scores for various factors. Following completion of the audit, we are happy to report SurgeETH has earned an admirable rating for these factors along with a very high Security Score. In addition, SurgeETH will be under 24/7 Skynet Monitoring from the Certik Dashboard to further assure our community that security and integrity are always our first priority."
"Surge even boasted a well-known developer from SafeMoon, SafemoonMark - SafeMoon CEO, John Karony, has since announced he is no longer apart of the team." "SafemoonMark came out as the to be the writer of Surge code and mentioned safety from Rug Pulls via a Tweet on July 30th."
"The Surge ETH Protocol is a decentralized finance (DeFi) token deployed on the Binance smart chain(BSC). Send BNB to this contract and it mints Surge Token to your receive address, then BNB will beexchanged for _token. _token is ETH. When selling Surge Token by interacting with the contract directly,the price is calculated as a ratio between the underlying asset of _token and total supply in the contract.When the user mistakenly transfers other tokens to this contract, owner can convert these tokens into_token."
“With ownership fully renounced, no liquidity, and no need for DApps, there is no possibility of a rug pull or whale dominance,” Is the lofty statement on the XSurge webpage. Although that has been categorically proven untrue, it does not stop others from being influenced.
“There is absolutely no risk of a rug pull! There is no liquidity, no dev tokens, no exchange or the possibility of whales monopolizing ownership.” This was the statement in the most recent Medium post by AG Digikemet, an apparent supporter and volunteer.
"In the same tweet XSurge noted that it had been a backdoor exploit, meaning normal processes had been bypassed. The team also tried to quell fears of a further attack by explaining that SurgeUSD and SurgeETH do not withdraw BNB and therefore cannot be exploited in the same manner."
"After an initial investigation, it seems to be a reentrancy-based price manipulation attack." "SURGEBNB got pwned by an external call before important state updates. A call to sell resulted in BnB being sent back to the user allowing an additional call to purchase(...) before the _totalSupply was updated."
"The attacker utilized the fallback function which would purchase surge tokens. They performed the sell/purchase attack about 8 times and profited ~12,161.157 BNB after paying off the flash loan."
"#SurgeFund Has Launched! Next 36 hours will be spent verifying with the community that our snapshot data was correct, then we will allow victims of August 16th to claim BNB daily, permitting there are funds available to claim!" "The CertiK audit for #SurgeETH is officially underway!"
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| August 16th, 2021 | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $5,000,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
In general, smart contract funds should be considered as a form of hot wallet. Its better to have funds in offline multi-signature storage, which could be used for the majority of funds when the team is known. When not possible, there exist protocols to provide insurance, and an industry fund can serve as an alternative to ensure investors are protected.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ XSurge Faces $5,000,000 Exploit Despite Promises of Security (Aug 17, 2021)
- ↑ Binance Transaction Hash (Txhash) Details | BscScan (Aug 17, 2021)
- ↑ @XSURGEDEFI Twitter (Aug 17, 2021)
- ↑ @MoonMark_ Twitter (Aug 17, 2021)
- ↑ blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
- ↑ @XSURGEDEFI Twitter (Aug 29, 2021)
- ↑ @BlockSecTeam Twitter (Aug 29, 2021)
- ↑ @unsafe_call Twitter (Aug 29, 2021)
- ↑ xSurge - True Decentralized Finance. (Sep 15, 2021)
- ↑ Binance Transaction Hash (Txhash) Details | BscScan (Sep 19, 2021)
- ↑ @XSURGEDEFI Twitter (Sep 19, 2021)
- ↑ CertiK Security Leaderboard - Surge ETH (Sep 19, 2021)
- ↑ @XSURGEDEFI Twitter (Sep 19, 2021)
- ↑ @XSURGEDEFI Twitter (Sep 19, 2021)