Hackers uncovered a vulnerability in the smart contracts for xToken’s xSNX product over the weekend. The exploit is approximately around $4.5 million and marks yet another attack to hit the decentralized financial project.
The xToken team announced on Aug. 29 that the hack had drained around $4.5 million from the company’s xSNX platform, which allows customers to obtain exposure to Synthetix-based assets without having to interface with the protocol’s sophisticated smart contracts.
A few hours later, the project released a post mortem, stating that the malicious actor used a flash loan from the dYdX decentralized exchange (DEX) to carry out the attack, which cost 25,000 ETH (approximately $81 million).
They then utilized the Ether as collateral to borrow 1.5 million Synthetix governance tokens (SNX) through Aave, a popular decentralized money market protocol, and Bancor, a pooled liquidity token exchange.
These were exchanged for 6.5 million USDC on Kyber, a decentralized exchange, putting downward pressure on the SNX pricing.
The attacker then exchanged the USDC for Synthetix’s USD token (sUSD), then used a weakness in xToken’s contracts to buy 614,000 SNX for 811,000 sUSD at an artificially low price.
The hacker made off with $7 million in SNX at today’s values. xToken has declared that the xSNX product will be retired in reaction to the new hack, stating:
“The current xSNX implementation is by far our most complicated product, with complex dependencies and significant surface area for vulnerabilities.”
Users can own interest-bearing derivatives of crypto assets like AAVE and SNX that require holders to engage in staking, governance, or other protocol involvement in order to obtain yield.
This isn’t the first time xToken has been used fraudulently this year. A malicious actor exploited the Kyber DEX while also taking advantage of xToken pricing calculations in May, and the protocol faced a similar fate. At the time, the compromise cost the protocol about $25 million in SNX tokens.
The xToken team has indicated that it will work for the next week to evaluate investor losses and establish a compensation program based on the use of its native token, XTK.
According to CoinGecko, XTK has dropped 45 percent in the last 24 hours and is down more than 90 percent from its all-time high in April, which predated the first exploit.