ChainCatcher message, the Beosin security team analyzed the Gas theft attack incident on FTX, stating that taking one of the attack transactions as an example (0x8eb73bd5c08318a4cfd233940c3a58744830cda999e59ecbc56f094618a91d69), the attacker first deployed the attack contract on-chain (0xCba9b1Fd69626932c704DAc4CB58c29244A47FD3).The FTX hot wallet address transfers small amounts of funds to the attack contract address, using the attack contract (0xCba9...7FD3) to batch create subcontracts. Due to the large number of contracts created during the entire attack, each time a subcontract is executed, it self-destructs.Next, the subcontract's fallback() function initiates a minting request to the Xen contract. The following function, claimRank(), takes a time limit (minimum of 1 day) for minting, with the condition that only the gas fee for the call needs to be paid, and there are no other costs. The claimMintReward() function is the withdrawal function, which only checks whether the time limit has been reached (the time limit set by the hacker this time is the minimum of 1 day), allowing for unconditional withdrawal. However, during this call process, the transaction initiator is the FTX hot wallet address, so the entire gas cost of the call process is paid by the FTX hot wallet address, while the Xen minting address is the attacker's address.The first three steps are repeated multiple times, and during each repetition, the expired tokens are withdrawn, while simultaneously initiating new minting requests.As of the time of writing, through Beosin Trace tracking, it was found that the FTX exchange lost 81 ETH, and the hacker exchanged XEN Tokens for ETH through DODO and Uniswap.