DeFi protocol xToken loses $25 million in hack

An attacker drained assets valued at around $25 million from the DeFi protocol xToken.

Our initial report on today’s exploit. More details in the coming days.https://t.co/ZadHCUTqEK

— xToken (@xtokenmarket) May 12, 2021

According to the project’s developers, the attack occurred on 12 May at 17:44 Moscow time. Analysts noticed “price and liquidity discrepancies” about ten minutes after it began and paused the smart contracts.

An unknown actor immediately drained the xBNTa and xSNXa liquidity pools. The BNT and SNX tokens remained in the xToken contracts. The hacker extracted 416 ETH from the xSNX contract, as it stores Ethereum as part of a debt-hedging strategy.

The Bancor and Balancer liquidity pools suffered losses of around $25 million.

The attacker took a flash loan of 61,800 ETH, and then employed two exploits:

• The attacker used cryptocurrency to manipulate the Kyber Network oracle, which provides price data to the blockchain for SNX. He minted a large number of synthetic tokens, which were then converted into ETH and SNX.
• Because xBNT is a wrapped token, issuing it requires collateral in BNT. However, the xToken smart contract did not enforce this dependency. Taking advantage of the vulnerability, the hacker used cheaper SPD tokens.

According to TheBlock analyst Igor Igamberdiev, the simultaneous use of two vulnerabilities and the speed of the attack point to possible involvement by people close to the project’s developers.

1/9

Another DeFi protocol xToken was exploited today and almost $25 million was stolen.

The attacker was smart enough (or close enough to this project) to use two different exploits for two projects’ tokens.👇 pic.twitter.com/cCmOu1hj9g

— Igor Igamberdiev (@FrankResearcher) May 12, 2021

According to TheBlock, the hacker siphoned 2,400 ETH, 781,000 BNT, 407,000 SNX, and 1.9 billion xBNTa. All tokens except xBNTa were sold for 5,600 ETH.

Earlier in May, the attacker attacked the DeFi project Spartan Protocol and drained about $30 million from its liquidity pools. He also used flash loans.

In April, the lending protocol EasyFi lost $6 million. The hackers gained remote access to the founder Ankit Garg’s computer and MetaMask wallet.

Follow ForkLog news on VK!