Beleaguered DeFi project xToken suffers second major exploit since May
The decentralized finance project xToken has suffered another exploit over the weekend after hackers discovered a vulnerability in the smart contracts for its xSNX product.
On Aug. 29, the xToken team reported that the attack had resulted in roughly $4.5 million worth of funds being drained from xToken’s xSNX product — which allows users to gain exposure to Synthetix-based assets without directly interacting with the protocol’s complex smart contracts.
Our xSNX contract was exploited. Our other contracts do not have similar vulnerabilities.
Every day going forward from here will be focused on rebuilding trust with our community.
We’re assessing the situation and will update with next steps in the coming hours
— xToken (@xtokenmarket) August 29, 2021
The project published a post mortem a few hours later, explaining that the malicious actor had taken out a flash loan from the dYdX decentralized exchange (DEX) for 25,000 ETH (roughly $81 million) to carry out the attack.
They then used the Ether as collateral to borrow 1.5 million Synthetix governance tokens (SNX) using popular DeFi money market protocol Aave, and pooled liquidity token exchange, Bancor.
These were swapped for 6.5 million USDC on decentralized exchange, Kyber, exerting downward pressure on the price of SNX. The attacker then swapped the USDC for Synthetix’s USD token (sUSD), before exploiting a flaw in xToken’s contracts to purchase 614,000 SNX at an artificially depressed price for 811,000 sUSD.
At current prices, the hacker made off with $7 million worth of SNX.
In response to the latest attack, xToken has announced it will retire the xSNX product, stating:
“The current xSNX implementation is by far our most complicated product, with complex dependencies and significant surface area for vulnerabilities.”
Related: How do DeFi protocols get hacked?
xToken allows users to hold interest-bearing derivatives of crypto assets like AAVE and SNX that require holders to participate in staking, governance, or other protocol interaction in order to receive yield.
The incident is not the first time xToken has been exploited this year. In May, the protocol suffered a similar fate when a malicious actor manipulated the Kyber DEX while also simultaneously taking advantage of xToken price calculations. The breach cost the protocol around $25 million in SNX tokens at the time.
Moving forward, the xToken team stated it will spend the coming week working to calculate investor losses and structure a compensation program based on using its native token, XTK.
At the time of writing, XTK had dumped 45% over the past 24 hours, according to CoinGecko, and is down more than 90% from its April all-time high which preceded the first exploit.