Beleaguered DeFi project xToken suffers second major exploit since May

Published at: Aug. 30, 2021

The decentralized finance project xToken has suffered another exploit over the weekend after hackers discovered a vulnerability in the smart contracts for its xSNX product.

On Aug. 29, the xToken team reported that the attack had resulted in roughly $4.5 million worth of funds being drained from xToken’s xSNX product — which allows users to gain exposure to Synthetix-based assets without directly interacting with the protocol’s complex smart contracts.

Our xSNX contract was exploited. Our other contracts do not have similar vulnerabilities.Every day going forward from here will be focused on rebuilding trust with our community.We're assessing the situation and will update with next steps in the coming hours

— xToken (@xtokenmarket) August 29, 2021

The project published a post mortem a few hours later, explaining that the malicious actor had taken out a flash loan from the dYdX decentralized exchange (DEX) for 25,000 ETH (roughly $81 million) to carry out the attack.

They then used the Ether as collateral to borrow 1.5 million Synthetix governance tokens (SNX) using popular DeFi money market protocol Aave, and pooled liquidity token exchange, Bancor.

These were swapped for 6.5 million USDC on decentralized exchange, Kyber, exerting downward pressure on the price of SNX. The attacker then swapped the USDC for Synthetix’s USD token (sUSD), before exploiting a flaw in xToken’s contracts to purchase 614,000 SNX at an artificially depressed price for 811,000 sUSD.

At current prices, the hacker made off with $7 million worth of SNX.

In response to the latest attack, xToken has announced it will retire the xSNX product, stating:

“The current xSNX implementation is by far our most complicated product, with complex dependencies and significant surface area for vulnerabilities.”

Related: How do DeFi protocols get hacked?

xToken allows users to hold interest-bearing derivatives of crypto assets like AAVE and SNX that require holders to participate in staking, governance, or other protocol interaction in order to receive yield.

The incident is not the first time xToken has been exploited this year. In May, the protocol suffered a similar fate when a malicious actor manipulated the Kyber DEX while also simultaneously taking advantage of xToken price calculations. The breach cost the protocol around $25 million in SNX tokens at the time.

Moving forward, the xToken team stated it will spend the coming week working to calculate investor losses and structure a compensation program based on using its native token, XTK.

At the time of writing, XTK had dumped 45% over the past 24 hours, according to CoinGecko, and is down more than 90% from its April all-time high which preceded the first exploit.

Tags
Related Posts
Finance Redefined: One hack to bring down a whole market, Feb 10–17
Finance Redefined is Cointelegraph's DeFi-centric newsletter, delivered to subscribers every Wednesday. The Alpha Homora and Cream Finance hack has made a gigantic mark in the DeFi space this week. It is the largest single hack in DeFi history at $37 million in funds stolen. It is also one of the most complex, apparently leveraging several honest-to-God vulnerabilities in Alpha Homora. A few missing input checks in very specialized conditions allowed the hacker to abuse Alpha Homora’s privilege of borrowing an unlimited amount of funds from Cream Finance’s Iron Bank. Flash loans were of course involved, but unlike some previous hacks …
Technology / Feb. 18, 2021
Yearn.Finance puts expanded treasury to use by repaying victims of $11M hack
Major decentralized finance protocol Yearn.Finance (YFI) has restored its yDAI vault in the aftermath of a $11 million exploit by hackers. Yearn announced Tuesday that they opened a Maker vault with YFI tokens from the treasury and minted 9.7 million DAI tokens from the vault to keep the yDAI vault intact. Using borrowed money allows the project to reimburse users without taking a hit to the treasury, either due to possible YFI appreciation or by gradually repaying the debt with protocol revenue. The team said that this is a one-off occurrence, as they expect users to hedge their own risks …
Technology / Feb. 9, 2021
Finance Redefined: You get hacked, they get hacked, everyone gets hacked, Nov. 11–18
If people actually used insurance against hacks, this week would definitely have bankrupted a great many insurers. In the span of one week, a total of four flash loan-enabled exploits were registered (one actually happened the week before, but wasn’t noticed until later). We have, in order, Cheese Bank with a $3.3 million theft, Akropolis with its $2 million loss, Value DeFi with a whopping $6 million exploit and finally Origin Protocol’s loss of $7 million. In total, the hackers stole $18.3 million, which admittedly, is not that much — less than the single October exploit of Harvest Finance. As …
Technology / Nov. 19, 2020
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
Top 7 cybersecurity jobs in high demand
In today’s digital age, cybersecurity has become a critical aspect of almost every business. Cyber threats are increasing daily, and businesses must take proactive measures to protect their networks and data. As a result, the demand for cybersecurity professionals has skyrocketed. Little Friday humour #meme #cybersecurity @hackurityio pic.twitter.com/MArEpCh03k — Harold De Vries (@devries_harold) February 17, 2023 In this article, we will discuss the top seven cybersecurity jobs that are in high demand. Cybersecurity analyst A cybersecurity analyst is responsible for identifying and mitigating cyber threats to an organization’s network and data. They examine system logs and network traffic to find …
Technology / Feb. 26, 2023