{"id":8860,"date":"2021-08-30T08:38:17","date_gmt":"2021-08-30T07:38:17","guid":{"rendered":"https:\/\/coinscreed.com\/staging\/?p=8860"},"modified":"2021-08-30T08:38:32","modified_gmt":"2021-08-30T07:38:32","slug":"defi-project-xtoken-suffers-a-major-second-exploit-since-may","status":"publish","type":"post","link":"https:\/\/coinscreed.com\/staging\/defi-project-xtoken-suffers-a-major-second-exploit-since-may\/","title":{"rendered":"DeFi project xToken suffers a major second exploit since May"},"content":{"rendered":"\n
Hackers uncovered a vulnerability in the smart contracts <\/a>for xToken's xSNX product over the weekend. The exploit is approximately around $4.5 million and marks yet another attack to hit the decentralized financial project.<\/h5>\n\n\n\n
\"DeFi<\/figure>\n\n\n\n

The xToken team announced on Aug. 29 that the hack had drained around $4.5 million from the company's xSNX platform, which allows customers to obtain exposure to Synthetix-based assets<\/a> without having to interface with the protocol's sophisticated smart contracts.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

A few hours later, the project released a post mortem, stating that the malicious actor used a flash loan <\/a>from the dYdX decentralized exchange (DEX) to carry out the attack, which cost 25,000 ETH (approximately $81 million).<\/p>\n\n\n\n

They then utilized the Ether as collateral to borrow 1.5 million Synthetix governance tokens (SNX) through Aave, a popular decentralized money market protocol, and Bancor, a pooled liquidity token exchange.<\/p>\n\n\n\n

These were exchanged for 6.5 million USDC on Kyber, a decentralized exchange, putting downward pressure on the SNX pricing.<\/p>\n\n\n\n

The attacker then exchanged the USDC for Synthetix's USD token (sUSD), then used a weakness in xToken's contracts to buy 614,000 SNX for 811,000 sUSD at an artificially low price<\/a>.<\/p>\n\n\n\n

The hacker made off with $7 million in SNX at today's values. xToken has declared that the xSNX product will be retired in reaction to the new hack, stating:<\/p>\n\n\n\n

\u201cThe current xSNX implementation is by far our most complicated product, with complex dependencies and significant surface area for vulnerabilities.\u201d<\/p>\n\n\n\n

Users can own interest-bearing derivatives of crypto assets like AAVE and SNX that require holders to engage in staking, governance, or other protocol involvement in order to obtain yield.<\/p>\n\n\n\n

This isn't the first time xToken has been used fraudulently this year. A malicious actor exploited the Kyber DEX <\/a>while also taking advantage of xToken pricing calculations in May, and the protocol faced a similar fate. At the time, the compromise cost the protocol about $25 million in SNX tokens.<\/p>\n\n\n\n

The xToken team has indicated that it will work for the next week to evaluate investor losses and establish a compensation program based on the use of its native token, XTK.<\/p>\n\n\n\n

According to CoinGecko, XTK has dropped 45 percent in the last 24 hours and is down more than 90 percent from its all-time high in April, which predated the first exploit.<\/p>\n","protected":false},"excerpt":{"rendered":"

Hackers uncovered a vulnerability in the smart contracts for xToken’s xSNX product over the weekend. The exploit is approximately around $4.5 million and marks yet another attack to hit the decentralized financial project. The xToken team announced on Aug. 29 that the hack had drained around $4.5 million from the company’s xSNX platform, which allows […]<\/p>\n","protected":false},"author":12,"featured_media":8866,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[73],"tags":[197,2156,4124,4123],"class_list":["post-8860","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-defi-news","tag-defi","tag-exploit","tag-xsnx","tag-xtoken"],"jetpack_featured_media_url":"https:\/\/coinscreed.com\/staging\/wp-content\/uploads\/2021\/08\/DeFi-project-xToken-suffers-a-major-second-exploit-since-May-1.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/posts\/8860","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/comments?post=8860"}],"version-history":[{"count":0,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/posts\/8860\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/media\/8866"}],"wp:attachment":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/media?parent=8860"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/categories?post=8860"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/tags?post=8860"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}