XSURGE on the BSC Chain was Attacked by Lightning Loans — A Full Analysis

On August 17th, the public opinion monitoring platform “Beosin-Eagle Eye” of Boesin showed that the DeFi protocol XSURGE on the BSC chain was attacked by lightning loans. The attacker made profit of more than 13111 BNB by exploiting the contract reentry vulnerabilities. Regarding this attack, Boesin’s technical team conducted an incident analysis for at first response.

The DeFi project XSURGE suffered a lightning loan attack today. An official statement regarding the SurgeBNB vulnerability was issued before XSURGE was attacked.

XSURGE stated that a potential security vulnerability in the SurgeBNB contract was discovered on August 16, local time. Since the SurgeBNB contract cannot be changed and has been abandoned, the token cannot be patched retrospectively. XSURGE did not disclose any specific details about the nature of this vulnerability, but it is strongly recommended that users migrate out of SurgereBnb as soon as possible, as the vulnerability may be triggered by an attacker at any time.

XSURGE stated that it had encountered an attack immediately after the announcement, which has given the project party an unpredictable sweet blow. The Official claimed that the attacker had stolen $5 million in SurgeBNB through a backdoor vulnerability. Since SurgeUSD or SurgeETH do not withdraw BNB, they cannot be the target of future attacks.

Back to this lightning loan attack, let us see how this time the attacker can reap without sowing.

How the attacker succeeded

Attacker’s address:


Take the transaction 0x8c93d6e5d6b3ec7478b4195123a696dbc82a3441be090e048fe4b33a242ef09d as an example:


First borrow 10,000BNB through flash loans.


Use all the BNB to buy SURGE. According to the current price, the attacker can buy 1,896,594,328,449,690 SURGE.


Call the sell function to sell the obtained SURGE of 9346 BNB.


The sell function modifies the data after the transfer, and there is a reentrance vulnerability in the transfer code. When the attack contract receives BNB, the period before the state of the SURGE contract changes (line 595 of code), the attack contract can purchase SURGE again through the reentrance vulnerability.

Since the attack contract uses all the BNB balance to buy SURGE each time, the bnbAmount of the contract remains unchanged, and the total amount of SURGE tokens _totalSupply has not been updated (still remains the quantity before the sell). Therefore, the price of SURGE decreases, causing the attacker to be able to buy more SURGE.


Repeating three times of Round 2 and Round 3 , the attacker accumulates a large amount of SURGE through reentry, and then sells all the SURGE to make a profit.

At the end of this transaction, the attack contract sold 1,864,120,345,279,610,000 SURGE, obtained 10327 BNB, and finally the profitable 297 BNB was sent to the attacker’s address.

What we need to pay attention to

For this attack, the modification suggestions given by Beosin technical team are: 1. To prevent reentry attacks, any transfer operation should occur after the state changes; 2. Use transfer or send to transfer, instead of using “call. value”.

In such security incidents, the attacker can usually reap without sowing. They first use flash loans to obtain a large amount of funds. After possessing the “initial funds” to start the attack, they use a series of methods to access various types of mortgages, loans, and transactions. After realizing the manipulation and distortion of asset price data, an arbitrage is implemented, and the “principal” is returned in the end.

In this incident, the attacker exploited the contract’s reentry vulnerabilities to gain more than 13111BNB. Here Boesin reminds users to pay attention to risk control. For example, corresponding measures must be taken in time after the official statement on the SurgeBNB vulnerability is released.

Blockchian Security · IDE · Beosin-VaaS · Formal Verification · SAS | China leading enterprise in blockchain security field