Someone has taken advantage of crypto exchange FTX’s willingness to pay blockchain transaction fees on its users’ behalf. They did so to mint more than $70,000 of XEN tokens, leaving the exchange with a $100,000 bill in subsidized transaction fees, according to a report from a security analyst at X-explore.
This is a rare case. It only happened because a recently launched token, called XEN, is free to mint as long as the underlying blockchain’s transaction fees are paid. Rather than pay for the transaction fees themselves, a user managed to trick FTX’s systems to do so on their behalf.
FTX processes ETH withdrawals for free and pays its users’ transaction fee for them from its own Hot Wallet address. This lets customers send ether and other tokens to their wallets without worrying about fees.
The user made this happen by withdrawing funds to call a Smart contract function, instead of just to a normal crypto address. This contract was designed in a way to loop the minting process and transfer the minted tokens to the said user’s address, X-Explore told The Block.
The person was able to carry out the mint primarily because FTX allows users to use up 500,000 gas units —a metric used for withdrawal fees — for withdrawal requests on Ethereum. Normally simple ether transfers only consume 21,000 gas units, but more complex on-chain activities like calling smart contract functions will need additional fees, which were covered by FTX in this incident. FTX does not impose a gas limit on transactions while also not charging a withdrawal fee.
The exchange failed to recognize that it was minting XEN tokens on behalf of the user, mistaking them for simple withdrawal requests, per analysts.
Blockchain security firm called BlockSec corroborated X-Explore’s findings. Its independent analysis showed that FTX exchange paid more than 100 ether ($120,000) for the user’s minting of XEN tokens, BlocSec told The Block.