Root cause:
The attacker executed a flash loan, borrowing a large amount of WETH. They swapped WETH to XSD and then swapped XSD back to WETH, transferring the required WETH back to the flash loan provider.
Vulnerable code snippet:
function swapXSDForETH(uint amountOut, uint amountInMax)
external
override
{
require(!swap_paused, "Swaps have been paused");
(uint reserveA, uint reserveB, ) = IXSDWETHpool(XSDWETH_pool_address).getReserves();
uint amounts = BankXLibrary.quote(amountOut, reserveB, reserveA);
require(amounts <= amountInMax, 'BankXRouter: EXCESSIVE_INPUT_AMOUNT');
TransferHelper.safeTransferFrom(
xsd_address, msg.sender, XSDWETH_pool_address, amountInMax
);
XSDWETHpool(XSDWETH_pool_address).swap(0, amountOut, address(this));
//function will fail if conditions are not met
//XSDWETHpool(XSDWETH_pool_address).flush();
IWBNB(WETH).withdraw(amountOut);
TransferHelper.safeTransferETH(msg.sender, amountOut);
//burn xsd here
//value of xsd liquidity pool has to be greater than 20% of the total xsd value
if(XSD.totalSupply()-CollateralPool(payable(collateral_pool_address)).collat_XSD()>amountOut/10 && !pid_controller.bucket1()){
XSD.burnpoolXSD(amountInMax/10);
}
refreshPID();
}
Attack tx:
0xbdf76f22c41fe212f0 | Phalcon Explorer
Analysis: