DeFi project xToken suffers second attack in a year; losses estimated at $4.5 million

The DeFi project xToken team reported a breach of the protocol. Users’ losses are estimated at $4.5 million.

Our xSNX contract was exploited. Our other contracts do not have similar vulnerabilities.

Every day going forward from here will be focused on rebuilding trust with our community.

We’re assessing the situation and will update with next steps in the coming hours

— xToken (@xtokenmarket) August 29, 2021

The attack occurred on August 29 at 7:43 (MSK).

The hacker exploited a vulnerability in the xSNX product, which allows access to assets based on Synthetix without direct interaction with the protocol’s complex smart contracts.

https://t.co/9yHw8WAILO

— xToken (@xtokenmarket) August 29, 2021

XToken founder Michael Cohen described the attacker’s actions in a blog post:

• The hacker took a flash loan of 25,000 ETH on the dYdX platform;
• used these funds as collateral to borrow about 1 million SNX tokens on the Aave protocol;
• additionally swapped 6,800 ETH for 519,000 SNX on the Bancor decentralized exchange;
• exchanged the 1.5 million SNX obtained for 6.5 million USDC on the Kyber protocol, crashing the price of Synthetix’s governance token SNX;
• bought 6.5 million sUSD on Curve for 6.5 million USDC;
• transferred about 2 million sUSD to the xSNXAdmin contract with the aim of repaying the debt in stablecoin to unlock SNX;
• called the callFunction in xSNXAdmin, burned the outstanding debt and additionally purchased 614,000 SNX for 811,000 sUSD at an artificially depressed price.
• exchanged 811,000 sUSD for 811,000 USDC that remained in the contract;
• executed the reverse operations, moved assets into ETH and repaid the loan.

Cohen acknowledged that, due to a developer error, the callFunction function ended up publicly accessible, although it should have been invoked only from the dYdX flash loan smart contract. The hacker leveraged the vulnerability to influence the SNX price via xSNX assets and profit from external arbitrage, he said.

After the attack, xToken decided to discontinue the xSNX product.

The team is developing a plan to compensate users using its own token, XTK.

«We are a small team with a tight budget, and $4.5 million is a substantial sum», Cohen noted.

One user found it suspicious that the hack, which caused the XTK price drop, occurred after a significant asset dump. Since August 22 the price had more than doubled — on August 28 quotes reached $0.29 versus $0.14 ( CoinGecko ).

so after a massive pump, your token suddenly gets ‘hacked’. Are we supposed to believe that. pic.twitter.com/lLyYrne9t6

— MadRush (@rusty7500) August 29, 2021

Earlier in May, an unknown attacker breached the protocol using two exploits and drained assets valued at about $25 million.