XWin Finance Flash Loan Attack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 17:59, 2 May 2023 by Azoundria (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

XWin Finance

XWin Finance had an investment platform, where all assets were stored in a smart contract hot wallet.

This smart contract had an exploit, which was exploited, and $270k of user funds were taken.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27][28]

About XWin Finance

"xWIN is [an] Investment Platform, Index and Trading Vault, Yield Farming & Yield Optimization to make investment easier than ever." "xWin is the fund management platform built with Binance Smart Chain blockchain technology. It provides fund manager to launch the funds easily and connect to investors with hassle free. xWin provide a series of sector index funds in Binance Smart Chain. We included xWIN BSC Defi Index, xWin Binance-Peg Infra Index and xWin US-ANTG Index. There will be more sector vault[s] coming."

"xWin is the decentralized fund management platform built on Binance Smart Chain. It enables everyone who is confident in their trading/fund management skills to open their own funds. Platform users can then subscribe to those funds and earn profits. Our goal was to create a one-stop DeFi protocol, where even total beginners can profit from the biggest wealth transfer in history." "Provide new value at tokenized society from Japan, Tokyo. Our specialities are the solution of the new asset management systems by blockchain and AI." "This project is in Beta. Use at your own risk."

"The DeFi protocol xWin Finance based on Binance Smart Chain was attacked by lightning loans. The xWin Finance token XWIN has fallen by nearly 90% in 24 hours."

"On June 24, 2021 xWin Finance slippage control weakness was exploited which resulted in the theft of $270K." "A Flash Loan attack has been identified in XWIN-BNB Pancakeswap LP pool."

Steps to produce: "(1) Hacker gets a flash loan as much as 76,000 BNB, equivalent to USD 11m. (2) Hacker subscribed to the old vault PCLP-XWIN LP vault. PCPL-XWIN vault is an old version vault that allow user to participate in PCS LP farming easily by subscribing to the vault. (a) Accepting BNB from user. (b) Convert 50% of the BNB into altcoin, in this case XWIN from the PCS LP v1. (c) Perform add liquidity in PCS v1 and get the LP token. XWIN-BNB PCS LP v1 still has small liquidity that allow the swapping regardless of the volume. (d) PCLP-XWIN vault will mint PCLP-XWIN token to the user as the proof of ownership of the vault. (e) xWIN Protocol recorded the entitled referral xWIN token rewards to the referral address. (3) Hacker redeemed it by calling redeem function in xWIN protocol. Redeem function will (a) accept PCLP-XWIN token. (b) Vault will unfarmed the LP token and convert the LP token back to BNB and XWIN. (c) Vault convert all the XWIN back to the BNB and send back to user. (4) By the action in 1 and 2 mentioned above, xWIN protocol recognized the subscription of 76,000 BNB and therefore marked a 76,000 x 0.20 = 15,200 xWIN token entitlement for the referral address. (5) Hacker repeated the steps of 1, 2 and 3 as many as 20 times with total of 304,000 xWIN token. (6) Hacker sent the 304,000 xWIN token to the PCS v2 pool for swapping it to 903 worth of BNB. (7) Hacker repeated the second attack with the same logic from 1 to 6. Getting away of 104 worth of BNB."

"We are currently investigating and the XWIN deposit and withdrawal has been temporarily suspended as a matter of urgency. There is no change to the number of units you have locked, so please be patient."

To prevent this, "xWIN team will be (1) Terminating the referral fee system, (2) Terminating the rewards fee system, [and] (3) Terminating manager rewards fee system. All the rewards fee and referral fee accumulated before in the referral address will be still able to withdraw from the UI in xWIN platform." "xWIN team engage third IT security party to go through the code to particularly to this area. In addition to the immediate action plans mentioned above, xWIN team continue to access to the discontinued vault that linked to PCS v1 pool and ensure they are disconnected from the xWIN protocol."

"Thank you for your encouragement for yesterday's YouTube. Today, we are going to start building a system to return the favor, communicate with a security company, establish an overseas corporation, and resume marketing activities. Beyond the moon, we are heading for Mars!"

"[W]e have decided on the details of compensation to our community at today’s executive meeting. In conclusion, we will be giving out 1:1 xWIN tokens to all users, who staked in xWIN token and XWIN-BNB LP Token in xWIN farm based on the quantity balance staked in the protocol before the flash loan attack with locking period." "[P]lease check out our instruction video on how to register for compensation!" "The deadline is 12:00 pm (Japan time) on July 2, 2021. After the deadline, you will not be able to apply for compensation."

"On the management side, we will do our best to create a better and more convenient future of the world and the future of Japan for all of our users."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - xWin Finance Flash Loan Attack
Date Event Description
June 24th, 2021 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $270,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

The safest storage of assets is an offline multi-signature wallet.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist Hacked - SlowMist Zone (Jun 26, 2021)
  2. No Title (Jul 24, 2021)
  3. Xwin Finance Incident Root Cause Analysis (Jul 24, 2021)
  4. Summary Of The Misuse Of Flash Loan Against Xwin Protocol (Jul 24, 2021)
  5. xWIN Finance | DappRadar (Aug 1, 2021)
  6. $xWIN xwin.finance (#BSC) Low mc gem! : CryptoMoonShots (Aug 1, 2021)
  7. About – xwin.finance – Medium (Aug 1, 2021)
  8. @xwinfinance Twitter (Aug 1, 2021)
  9. @xwinfinance Twitter (Aug 1, 2021)
  10. @xwinfinance Twitter (Aug 1, 2021)
  11. @xwinfinance Twitter (Aug 1, 2021)
  12. @xwinfinance Twitter (Aug 1, 2021)
  13. @xwinfinance Twitter (Aug 1, 2021)
  14. フラッシュローンの攻撃の分析結果とxWINの今後について① Analysis results of flash loan attacks and future of xWIN ① - YouTube (Aug 1, 2021)
  15. @xwinfinance Twitter (Aug 1, 2021)
  16. @xwinfinance Twitter (Aug 1, 2021)
  17. @xwinfinance Twitter (Aug 1, 2021)
  18. @xwinfinance Twitter (Aug 1, 2021)
  19. @xwinfinance Twitter (Aug 1, 2021)
  20. @xwinfinance Twitter (Aug 1, 2021)
  21. フラッシュローンの攻撃の分析結果とxWINの今後について② Analysis results of flash loan attacks and future of xWIN ② - YouTube (Aug 1, 2021)
  22. Details Of Compensation To Fans And Users And Future Actions Of Xwin (Aug 1, 2021)
  23. Compensation Program Explanation 2021.06.29 - YouTube (Aug 1, 2021)
  24. Official Announcement From The Xwin Community (Aug 1, 2021)
  25. Details Of Compensation Program (Aug 1, 2021)
  26. Notice From Xwin Community (Aug 1, 2021)
  27. xWIN Finance Intro - xWin Docs (Aug 1, 2021)
  28. blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=XWin_Finance_Flash_Loan_Attack&oldid=4102"