XBank Finance Precision Loss Attack
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
A non-custodial liquidity market protocol called xBank Finance, built on zkSync technology, facilitates lending and borrowing while prioritizing risk management. Despite being based on Compound Finance's audited and well-developed smart contracts, xBank Finance experienced an exploit, resulting in a significant loss of funds, affecting all depositors. The exploit involved complex maneuvers, including flash loans and precision loss attacks, resulting in the exploiter profiting from the manipulation of exchange rates. Despite efforts to negotiate with the exploiter and offer a white hat bounty, they refused to cooperate, leading the team to classify them as a black hat. Efforts to track and recover the funds are ongoing, with external security teams involved in monitoring the situation. The team issues a warning to the exploiter, emphasizing their determination to pursue legal action and ensure accountability for the breach.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16]
About XBank Finance
"The Non-Custodial Liquidity Market Protocol Built on zkSync Era"
"xBank manages deposits for lenders and facilitates lending of the deposited asset for borrowers while performing appropriate risk management to protect the lenders from risks of illiquidity and insolvency."
"xBank is forked from Compound Finance, whose smart contracts were audited and carefully developed. Compound has never experienced any exploitation, and both xBank’s and Compound’s smart contracts have consistently operated as intended."
"According to feedback from multiple community members, the zkSync ecosystem lending platform @xBankFinance is suspected of a rug pull. Currently, the official account displays that it has been frozen, and the platform's liquidity is reduced to single-digit assets."
"zkSync's ecosystem lending platform xBankFinance suspected of being a Rug pull. According to feedback from multiple community members, zkSync's ecosystem lending platform xBankFinance is suspected of being a Rug pull. Currently, the official announcement indicates that the account has been frozen, and the platform's liquidity is only left with single-digit assets."
"@xBank_Finance was unfortunately exploited by a malicious actor." "We are trying to get hold of the exploiter to offer whitehat bounty to return the funds. A post-mortem analysis is being conducted. We sincerely appreciate your patience and understanding during this time."
"It is with regret that we inform you that xBank Finance was exploited. We have conducted a thorough investigation into the issue and have found that the exploiter conducted a Precision Loss attack on xBank and have netted a total off ~$550,000."
"All of xBank Finance’s depositors are affected." "Total Impact: 46,001.368248 USDC, 0.57374109 WBTC, 149.884669041911623518 ETH"
"The exploiter conducted a flashloan of $7M USDC from Syncswap & deposited them into ZeroLend to borrow 2,000 WETH using his first contract, which we will refer to as “Evil Contract #1”
The exploiter unwrapped 2,000 WETH to ETH and deposited the whole amount to xBank Finance The exploiter then borrowed ~49,000 USDC, 0.57 BTC, and 1,622.43 ETH from xBank and transferred 1,622.43 ETH to another contract, which we refer to as “Evil Contract #2”.
With the funds in Evil Contract #2, the exploiter deposited a certain amount of ETH into xBank to receive an equivalent value in xETH, a receipt token for ETH deposits on the platform. Later, they manipulated the exchange rate of xETH by exploiting a precision loss through a loop.
Initially, Evil Contract #2 deposited 0.000000000200477909 ETH to obtain precisely 0.00000001 xETH (exchange rate: 2.0047790740972892e+26). Following this, Evil Contract #2 invoked the redeemUnderlying function with 0.000000000400955813 ETH as input. Due to truncation of decimals on the blockchain, the contract miscalculated the required shares, resulting in a redemption of more ETH than intended. Normally, this would be inconsequential as the surplus amount is negligible. Evil Contract #2 iterated these steps, progressively reducing the xETH to ETH conversion until Evil Contract #1’s account became liquidatable, as xETH is used in the calculation of the liquidation formula. After finding out that Evil Contract 1 account is liquidatable, Evil Contract 2 then liquidated Evil Contract 1 and repaid 811.21892949010806335 ETH.
After seizing all assets of Evil Contract 1 account, Evil Contract 2 redeemed all shares and got 2,149.88 ETH back, then returned 2,000 ETH loan back to ZeroLend to withdraw deposit of $7M USDC to return to SyncSwap.
Through this process, the exploiter was able to make a profit of 46,001.368248 USDC, 0.57374109 WBTC, and 149.884669041911623518 ETH from the exploit."
"We have already reached out to the exploiter, to offer a whitehat bounty in an effort to get the users’ funds back.
The team will continue to investigate this exploit further, so we will continue to pause borrowing and deposit. We will keep you posted on the progress, and we sincerely appreciate your patience and understanding."
"Dear 0xfa9d342a222f1e1052a9eea73d35e4eeba045729, We are reaching out to you from xBank Finance regarding the recent exploitation of our protocol. We understand that there may have been underlying circumstances leading to your actions, and we wish to extend an opportunity for resolution that benefits both parties involved. In light of this, we kindly request that you to return the funds obtained through the exploitation of our platform. As a gesture of appreciation for your cooperation and assistance in strengthening our security measures, we are prepared to offer a white hat bounty equivalent to 10% of the exploit value, amounting to $75,981 Your willingness to engage in this process is greatly appreciated, and we are open to further discussions to ensure a mutually beneficial outcome for all parties involved. Thank you for your attention to this matter, xBank Finance"
"The exploiter unfortunately chose not to cooperate, so now we can assume he’s a blackhat. We are currently tracking his wallet, and while he has not moved the exploited funds, all hope is not lost. Once the exploiter starts moving funds, he will leave more trail, where we can get leads to uncover his track and identity."
"We’re in touch with Seal 911, a team of security research, who is helping us keep an eye on the exploiter. Exploiter, if you’re reading this, it’s not too late to return the funds. Otherwise, mark our words, we will make you pay. You will spend the rest of your life running, and you will one day be eventually tracked down"
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| May 3rd, 2022 10:15:01 AM MDT | YouTube Video Guide | A YouTube video is published which walks through using the XBank protocol. |
| April 22nd, 2024 9:05:00 PM MDT | Statistics Published | XBank Finance publishes statistics of "$808.0K (-5.3%)" in deposits made and "$172.5K (+3.4%)" in funds borrowed through the protocol. |
| April 27th, 2024 1:30:54 AM MDT | Exploit Transaction | The XBank Finance smart contract is exploited |
| April 27th, 2024 6:40:00 AM MDT | Potential Rug Report | A potential rug is reported to the SlowMist team. |
| April 27th, 2024 10:59:00 AM MDT | XBank Tweet Posted | The XBank Finance team reports they were "unfortunately exploited by a malicious actor". "We are trying to get hold of the exploiter to offer whitehat bounty to return the funds." |
| April 27th, 2024 11:29:44 AM MDT | XBank Blockchain Message | The XBank Finance team reaches out to the exploiter on the blockchain,. |
| April 27th, 2024 1:45:00 PM MDT | Post-Mortem Published | XBank publishes a post-mortem guide where they go over the exploit as a precision loss attack. |
| April 27th, 2024 6:35:25 PM MDT | ODaily Publishing | The situation is published in the ODaily online journal, where it's again reported to be a rug pull. |
| April 27th, 2024 7:35:59 PM MDT | CoinTime Article | CoinTime publishes an article noting the project is suspected of a rug pull. |
| April 29th, 2024 9:17:00 PM MDT | SlowMist Reports Rug Pull | In a tweet, SlowMist summarizes recent events, including XBank which is still considered as a rug pull. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount at risk has been estimated at $808,000 USD. The total amount lost has been estimated at $550,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ SlowMist Hacked - SlowMist Zone (Accessed May 17, 2024)
- ↑ zkSync生态借贷平台xBankFinance疑似Rug _快讯-odaily (Accessed May 22, 2024)
- ↑ @xBank_Finance Twitter (Accessed May 22, 2024)
- ↑ zkSync ecological lending platform xBank Finance suspected of RUG - Cointime (Accessed May 22, 2024)
- ↑ @Bitcoin9966 Twitter (Accessed May 22, 2024)
- ↑ @SlowMist_Team Twitter (Accessed May 13, 2024)
- ↑ Starkware Alpha Testnet XBANK | Xbank layer 2 Defi borrowing & lending Starkware | Possible Airdrop - YouTube (Accessed May 22, 2024)
- ↑ @ItsBitcoinWorld Twitter (Accessed May 22, 2024)
- ↑ @xBank_Finance Twitter (Accessed May 22, 2024)
- ↑ zkSync Era Transaction Hash (Txhash) Details | zkSync Era Block Explorer (Accessed May 22, 2024)
- ↑ Post Mortem Precision Loss Attack on Xbank Finance (Accessed May 22, 2024)
- ↑ zkSync Era Transaction Hash (Txhash) Details | zkSync Era Block Explorer (Accessed May 22, 2024)
- ↑ Compensation Plan To Affected Users From Precision Loss Attack on Xbank (Accessed May 22, 2024)
- ↑ DeBank | The Real User Based Web3 Community (Accessed May 22, 2024)
- ↑ @xBank_Finance Twitter (Accessed May 22, 2024)
- ↑ https://www.bitget.com/news/detail/12560603981138 (Accessed May 22, 2024)