Another day, another decentralized finance (DeFi) platform attacked and exploited for millions of dollars. This time it’s xToken, a platform that offers interest-bearing derivatives of digital currencies. xToken has lost $7 million in the exploit, but this is not the first time it’s being attacked.
On Sunday, August 29, xToken announced that it had suffered the attack in which its xSNX contract was exploited. This contract allows users of the DeFi platform to hold Synthetix-based assets without directly purchasing or having to hold SNX.
Our xSNX contract was exploited. Our other contracts do not have similar vulnerabilities.
Every day going forward from here will be focused on rebuilding trust with our community.
We're assessing the situation and will update with next steps in the coming hours
— xToken (@xtokenterminal) August 29, 2021
The DeFi platform later gave an update in a blog post, delving deeper into the attack. It revealed that the attacker had exploited a vulnerability in its xSNX contract and estimated the loss to holders to be at about $4.5 million. Even more critically, it revealed that the attack had forced the platform to stop offering its xSNX contract as it was too vulnerable to such exploits.
“At this time, we believe it best to sunset our xSNX product offering. The current xSNX implementation is by far our most complicated product, with complex dependencies and significant surface area for vulnerabilities,” it stated.
The exploit started with the attacker taking out a flash loan from dYdX, a decentralized exchange, worth $81 million in ETH to conduct the attack. He then used the ETH as collateral and borrowed 1.5 million SNX from Aave and Bancor, two of the most popular DeFi markets.
After a series of swaps on other decentralized exchanges, he exerted downward pressure on the price of SNX and then exploited a vulnerability on xToken to purchase SNX at an artificially subdued price.
At press time, the SNX he made off with is worth $6.9 million.
“We are working this week to write accurate snapshot scripts to properly calculate investor losses,” the xToken team stated. Acknowledging that it was a small team and $4.5 million was quite a substantial sum, the team revealed it would structure a compensation program that would see the losses paid for in XTK tokens. At press time, these tokens are worth $0.12, down by over 90% from their April high of $1.36.
This isn’t the first time the platform is getting attacked. In early May this year, its SNX smart contract was attacked, the same contract that’s been exploited in the latest attack, three months later. At the time, the platform lost $25 million.
xSNXa and xBNTa contracts have been exploited. Minting paused on all contracts as we investigate further.
Liquidity pools have been drained, however most SNX and BNT remain in xToken contracts.
We owe the community an explanation and will be providing another update shortly
— xToken (@xtokenterminal) May 12, 2021
Watch: CoinGeek Zurich panel, Using Blockchain to Strengthen Cybersecurity
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.