Summary of the Misuse of Flash Loan Against xWIN Protocol
Block Number
8589726: https://bscscan.com/tx/0xba0fa8c150b2408eec9bbbbfe63f9ca63e99f3ff53ac46ee08d691883ac05c1d
8589740: https://bscscan.com/tx/0xda1016b24b8982ea27671e3502691c0ca17231e1dbc0dfd00df41f0646217643
4 ways of Getting xWIN token Rewards in xWIN Protocol
1. xWIN referral system, where 1 BNB deposited in any of the trading, index or yield vault will be entitled for 0.20 XWIN per every single entry for the referral user
2. xWIN reward system, where 1 BNB deposited in any of the trading, index or yield vault will be entitled for 0.10 XWIN per every single entry by the user
3. xWIN vault owner / manager reward system, where 1 BNB to 0.05 xWIN token per every single entry by the user
4. xWIN vault token farming and staking
Steps by Hacker:
Setup setting in the protocol
1. Hacker registered an address 0x2Df8DD8880010A28b1539d9aEfF9bcEec39E2040 acted as referral
2. Hacker created a smart contract with the flash loan hacking logic. Address: 0x67d3737c410f4d206012cad5cb41b2e155061945
3. Hacker kicked off the hacking smart contract with address: 0xb63f0d8b9aa0c4e68d5630f54bfefc6cf2c2ad19
Kick Start Flash Loan
1. Hacker gets a flash loan as much as 76,000 BNB, equivalent to USD 11m
2. Hacker subscribed to the old vault PCLP-XWIN LP vault. PCPL-XWIN vault is an old version vault that allow user to participate in PCS LP farming easily by subscribing to the vault:
a. Accepting BNB from user
b. Convert 50% of the BNB into altcoin, in this case XWIN from the PCS LP v1
c. Perform add liquidity in PCS v1 and get the LP token. XWIN-BNB PCS LP v1 still has small liquidity that allow the swapping regardless of the volume.
d. PCLP-XWIN vault will mint PCLP-XWIN token to the user as the proof of ownership of the vault.
e. xWIN Protocol recorded the entitled referral xWIN token rewards to the referral address
3. Hacker redeemed it by calling redeem function in xWIN protocol. Redeem function will:
a. Accepting PCLP-XWIN token.
b. Vault will unfarmed the LP token and convert the LP token back to BNB and XWIN
c. Vault convert all the XWIN back to the BNB and send back to user.
4. By the action in 1 and 2 mentioned above, xWIN protocol recognized the subscription of 76,000 BNB and therefore marked a 76,000 x 0.20 = 15,200 xWIN token entitlement for the referral address
5. Hacker repeated the steps of 1, 2 and 3 as many as 20 times with total of 304,000 xWIN token
6. Hacker sent the 304,000 xWIN token to the PCS v2 pool for swapping it to 903 worth of BNB
7. Hacker repeated the second attack with the same logic from 1 to 6. Getting away of 104 worth of BNB
Another Potential Exploitation
xWIN protocol has the reward system as mentioned in Summary (2) above. The rewards are accumulated based on each block in the BSC network. xWIN identified the hacker smart contract address 0x67d3737c410f4d206012cad5cb41b2e155061945 is entitled to receive another 45000 xWIN based on the total amount subscribed before. As this cannot be get within a single block number therefore the total of the xWIN is not withdrawn.
Immediate Solution
xWIN team will be
1. Terminating the referral fee system
2. Terminating the rewards fee system
3. Terminating manager rewards fee system
All the rewards fee and referral fee accumulated before in the referral address will be still able to withdraw from the UI in xWIN platform.
Action Plan
xWIN team engage third IT security party to go through the code to particularly to this area. In addition to the immediate action plans mentioned above, xWIN team continue to access to the discontinued vault that linked to PCS v1 pool and ensure they are disconnected from the xWIN protocol.
Compensation Plan
To be decided
