BankX XSD BurnPoolXSD Re-Entry Vulnerability Exploited 2
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
BankX is a decentralized financial platform focused on its stablecoin, XSD, which is pegged to the price of 1 gram of silver, offering users a unique way to store value and earn interest. The platform allows minting of XSD, earning rewards, and participating in activities like buying NFTs, joining a leaderboard, and a referral program. In February 2025, BankX again faced a security breach where its XSD-WBNB pool on BSC was attacked, resulting in the loss of about 57 BNB. The attack exploited a re-entrancy vulnerability in the platform’s smart contract, allowing the attacker to manipulate XSD prices by burning tokens and profiting from price manipulation. It remains uncertain when or if BankX will address these vulnerabilities.[1][2][3][4][5][6][7][8][9][10][11][12][13]
About BankX
BankX is a financial platform centered around a stablecoin called XSD, designed to offer individuals greater financial freedom. The platform allows users to mint XSD stablecoins, offering them an opportunity to earn rewards. One key feature of BankX is its focus on providing a deflationary token, known as the BankX Token, which aims to increase in value over time. BankX also offers various services, including the ability to buy NFTs, participate in a leaderboard for competitive rewards, and engage in a referral program to earn additional incentives.
The platform operates with a minting interest rate of 5.28%, ensuring that users who mint XSD can benefit from passive earnings. BankX is built on a decentralized system, allowing for financial independence without relying on traditional banking structures. It provides a comprehensive set of resources, including documentation and terms of use, to help users understand the platform. Whether you are looking to mint XSD, purchase NFTs, or participate in its rewards program, BankX offers a unique solution for individuals seeking to manage their finances in the crypto space.
BankX introduces XSD, a stablecoin pegged to the price of 1 gram of silver, providing a unique way to store value and earn interest. Unlike traditional stablecoins, XSD is crypto-backed and designed to eliminate the risk of liquidation. This ensures that users can mint and hold XSD without worrying about the typical volatility seen in many digital assets. The platform allows users to track XSD's value against silver, providing a more stable alternative for crypto investors.
BankX offers a variety of purposes and ways for users to profit, catering to different levels of expertise in the crypto space.
For beginners, BankX allows users to create the XSD stablecoin and earn interest. Additionally, users can lock up BankX tokens in Token Lockup Rewards, which generates interest in the form of more BankX tokens. This is a simple way for beginners to start earning and participating in the ecosystem.
For intermediate users, BankX introduces the concept of "looping," where users can use the stablecoin they minted to buy more collateral, mint more XSD, and earn even more interest. This process can be repeated multiple times to maximize returns.
For advanced users, BankX provides opportunities to engage with liquidity pools and the Integrated Protocol Owned Liquidity (IPOL) system. Users can earn rewards by providing liquidity or adding collateral when the stablecoin is in a deficit. Additionally, BankX supports arbitrage opportunities where users can profit by maintaining the peg of XSD. By burning BankX tokens or XSD at the right times, users can buy tokens at a discount, mint more stablecoin, or lock up tokens for additional rewards.
"In times of collateral deficit (which is usually caused by a drop in the price of the collateral used to mint XSD), the system gives incentives in the form of bonus BankX tokens and the XSD stablecoin for you to add collateral to the stablecoin. Instead of liquidation, we offer incentives to add collateral instead."
The Reality
The BankX smart contract contains a re-entrancy vulnerability which allows "an attacker to manipulate the pool’s price by burning XSD tokens in a way that distorts the price".
What Happened
The BankX smart contract was exploited, and 57 BNB were able to be extracted.
| Date | Event | Description |
|---|---|---|
| September 26th, 2023 12:37:12 PM MDT | Similar Attack Transaction | A previous version of the BankX smart contract suffers a re-entry issue which triggers burnpoolXSD, same as this current exploit. |
| February 6th, 2025 3:27:30 PM MST | Attack Transaction Occurs | The BankX smart contract is attacked with a re-entry vulnerability. |
| February 7th, 2025 2:57:00 AM MST | SlowMist Posts Tweet | SlowMist posts a tweet about "potential suspicious activity related to @BankXio". |
| February 7th, 2025 3:19:00 AM MST | ExVulSec Tweet Posted | ExVulSec posts a security alert. Their "team has found some suspicious transfers with @BankXio". They warn users to "[k]eep an eye out for [their] assets!" |
| February 7th, 2025 10:12:00 AM MST | Tikkala Research Post | Tikkala Research reports that the $XSD token was attacked again, with the victim contract losing approximately 57 BNB, worth around $32k. The attack exploited the same vulnerability as before, involving a re-entry issue that triggered the burnpoolXSD() function and altered the swap K number. Both the latest and previous hack transactions are similar and were funded from the same address. Tikkala Research expressed confusion as to why the same vulnerable code was deployed again. |
| February 7th, 2025 1:59:00 PM MST | BankX Meeting Not Mentioned | BankX developers hold an hour and a half long meeting. There's no mention at all of the exploit. |
Technical Details
"Both are caused by a re-entry issue and then triggered burnpoolXSD(), which also changes the swap K number."
Total Amount Lost
57.308121814394883829 BNB
The total amount lost has been estimated at $43,000 USD.
Immediate Reactions
There does not appear to be any reaction to the exploit. The BankX development team has not mentioned the exploit on their Twitter, and continued to hold meeting feeds as though nothing has happened.
Ultimate Outcome
The pricing of XSD currently varies across different blockchains, with discounts on the current price of 1 gram of silver depending on the network. For example, XSD on Ethereum is priced at $0.23 (a 78.53% discount), while on Arbitrum, it’s only $0.03 (a 97.03% discount). Other networks like BNB, Polygon, and Optimism also offer significant discounts on the XSD price, ranging from 92.14% to 95.13%. These varying prices across blockchains present users with opportunities to acquire XSD at different rates, maximizing potential savings.
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
It is unclear when or if BankX is going to notice and resolve the vulnerabilities in their smart contract.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ SlowMist - "SlowMist Security Alert We detected potential suspicious activity related to @BankXio. As always, stay vigilant!" - Twitter/X (Accessed Mar 19, 2025)
- ↑ Bankx.io Homepage (Accessed Mar 20, 2025)
- ↑ Bankx.io About (Accessed Mar 20, 2025)
- ↑ What You Can Do? The BankX System Has Many Uses & Ways To Profit. - BankX Docs (Accessed Mar 20, 2025)
- ↑ Intermediate: LOOPING!!! LOOPING Liquidation Free! = BankX Docs (Accessed Mar 20, 2025)
- ↑ Tikkala Research - "Token $XSD was attacked again @BankXio, the victim contract 0xaadae9117df8b5d584378a41a105cc4862a16e99 lost about ~57BNB and it worth about $32k." - Twitter/X (Accessed Mar 20, 2025)
- ↑ Tikkala Research - "It's not a new attack; the vulnerability is the same as before. The latest hack transaction and the previous hack transaction are similar. Both are caused by a re-entry issue and then triggered burnpoolXSD(), which also changes...ter/X (Accessed Mar 20, 2025)
- ↑ ExVulSec - Security Alert our team has found some suspicious transfers with @BankXio. Keep an eye out for your assets!" - Twitter/X (Accessed Mar 20, 2025)
- ↑ @cryptocrim66608 Twitter (Accessed Mar 20, 2025)
- ↑ BlockThreat - Week 6, 2025 (Accessed Mar 20, 2025)
- ↑ BankX Open Discussions: Crypto, AI, Trump, Market & Stablecoins - Twitter/X (Accessed Mar 20, 2025)
- ↑ Attack Transaction - BSCScan (Accessed Mar 20, 2025)
- ↑ Second Attack Transaction - BSCScan (Accessed Mar 20, 2025)