XPEPE Token Incident Analysis

On 25 January 2025 an attacker used a Uniswap V3 flash loan to stake then repeatedly withdraw and call transferFrom against XPEPE's TokenStaker due to an un-revoked spend allowance, allowing iterative token duplication and draining the pool (99% price drop); the attacker sold the drained tokens for ~0.6805 ETH. The report includes the exploit transaction link, involved addresses and contracts, funding traces via Tornado Cash and Orbiter Bridge, and identifies the root cause as missing allowance revocation in withdrawAll().