Calculated from recorded token losses using historical USD prices at the incident time.
0xa4d7ee2ddb9db06961a17e2a5ae71743a266bcb720be138670f4a10e8dfc13e90xD08E245Fdb3f1504aea4056e2C71615DA7001440Ethereum0x2b9dc65253c035Eb21778cB3898eab5A0AdA0cCeEthereumOn Ethereum block 19286457, an unprivileged sender 0xc0ffeebabe5d496b2dde509f9fa189c25cf29671 routed a single transaction through helper contract 0x3aa228a80f50763045bdfc45012da124bd0a6809 and drained DAI from wrapper 0x2b9dc65253c035Eb21778cB3898eab5A0AdA0cCe. The core failure was in XToken at 0xD08E245Fdb3f1504aea4056e2C71615DA7001440: privileged supply-changing functions were exposed as unrestricted external entry points. The attacker minted unbacked XToken, redeemed part of it through the public wrapper, sold the redeemed DAI downstream, repaid the temporary flash liquidity, and distributed profit. The validator challenge confirms this is a deterministic ACT opportunity rather than a privileged or attacker-specific incident.
XToken is an ERC-20-like asset whose code comments describe an intended model where only a wrapper role should mint or burn supply and those operations should also pass authorization checks. The corresponding wrapper contract holds DAI reserves and exposes a public unwrap path that burns XToken and transfers DAI out. Immediately before the incident transaction, the wrapper already held 7729322331047062319597 wei-denominated DAI units, so the collateral required to monetize forged XToken was already available on-chain.
The collected seed artifacts include the signed transaction metadata, a full execution trace, the verified XToken source, and a balance-diff summary. Those artifacts are sufficient to reconstruct the full exploit from pre-state 19286456 through post-state 19286457 without requiring any private attacker material.
The root cause is broken access control on XToken supply management. The verified source documents that mint and burnFrom should require WRAPPER_ROLE and authorization, but the implementation performs neither check. As a result, any externally owned account or contract can create arbitrary XToken supply and can also burn balances through the wrapper redemption flow. Once forged XToken exists, wrapper 0x2b9dc65253c035Eb21778cB3898eab5A0AdA0cCe treats it as redeemable and transfers out real DAI from its reserve. This breaks the core backing invariant: XToken supply can increase without corresponding collateral while wrapper collateral remains publicly redeemable. The incident transaction and the validator-side forked PoC both realize that exact state transition.
The verified XToken source contains the decisive breakpoint. The comments require wrapper-only and authorized access, but the functions are plain external calls that forward directly to _mint and _burn.
// Verified XToken source
function mint(address account, uint256 amount) external {
_mint(account, amount);
}
function burnFrom(address account, uint256 amount) external {
_burn(account, amount);
}
In the seed transaction trace, the helper contract first calls XToken::mint for 999999999999999999999999 units, which succeeds and emits a mint transfer. The same transaction then calls the wrapper unwrap path for 7725000000000000000000 XToken. Inside unwrap, the wrapper calls XToken::burnFrom and then transfers exactly the same amount of DAI to the attacker helper contract.
0xD08E245F...::mint(0x3AA228..., 999999999999999999999999)
emit Transfer(src: 0x0000000000000000000000000000000000000000, dst: 0x3AA228..., wad: 999999999999999999999999)
0x2b9dc652...::unwrap(0xD08E245F..., 7725000000000000000000)
0xD08E245F...::burnFrom(0x3AA228..., 7725000000000000000000)
0x6B175474...::transfer(0x3AA228..., 7725000000000000000000)
This proves the exploit does not depend on privileged keys, governance, or attacker-specific bytecode. The only preconditions are that the wrapper holds DAI and that the attacker can submit a normal transaction. The balance-diff artifact confirms both the direct DAI drain and the retained unbacked XToken: the sender EOA ended with 992274999999999999999998 XToken, and profit recipient 0x25b71878850d008ec4237c55f0a59198bcc72b43 gained 2559241617030985014 wei.
The adversary flow is fully contained in transaction 0xa4d7ee2ddb9db06961a17e2a5ae71743a266bcb720be138670f4a10e8dfc13e9. The sender 0xc0ffeebabe5d496b2dde509f9fa189c25cf29671 called helper contract 0x3aa228a80f50763045bdfc45012da124bd0a6809, which borrowed temporary WETH liquidity via Balancer flash loan plumbing. That flash liquidity was not the root cause; it was only used to streamline the monetization leg.
The critical exploit sequence was:
1. Mint unbacked XToken into the attacker-controlled helper contract.
2. Redeem 7,725 XToken through wrapper 0x2b9dc652... for 7,725 DAI.
3. Swap the redeemed DAI for WETH.
4. Repay the flash-loan leg.
5. Transfer ETH profit and residual forged XToken to adversary-controlled EOAs.
The trace shows the monetization and distribution steps explicitly. After the wrapper transfer, the helper contract moved 7725000000000000000000 DAI into Uniswap pair 0xa478c2975ab1ea89e8196811f51a7b7ade33eb11, received WETH back, repaid Balancer, transferred 2559241617030985014 wei to 0x25b71878850d008ec4237c55f0a59198bcc72b43, and finally transferred 992274999999999999999998 forged XToken to the sending EOA 0xc0ffeebabe5d496b2dde509f9fa189c25cf29671.
The measurable protocol loss in the incident transaction was DAI drained from the wrapper reserve. The balance observed before and after the validator PoC aligns with the seed trace: the wrapper moved from 7729322331047062319597 DAI units to near-dust behavior, and the incident itself transferred out 7725000000000000000000 DAI. In addition to the direct collateral loss, the exploit left the adversary cluster holding a large residual supply of forged XToken, demonstrating that the supply-backing invariant remained broken after monetization.
Loss summary:
[
{
"token_symbol": "DAI",
"amount": "7725000000000000000000",
"decimal": 18
}
]
0xa4d7ee2ddb9db06961a17e2a5ae71743a266bcb720be138670f4a10e8dfc13e90xD08E245Fdb3f1504aea4056e2C71615DA70014400x2b9dc65253c035Eb21778cB3898eab5A0AdA0cCe0x6B175474E89094C44Da98b954EedeAC495271d0F0x3aa228a80f50763045bdfc45012da124bd0a68090x25b71878850d008ec4237c55f0a59198bcc72b43/workspace/session/artifacts/validator/forge-test.log