xToken loses $4.5 million in second major exploit

  • An attacker stole about $4.5 million worth of funds from xToken's xSNX product
  • The way the attacker benefited from the vulnerability was by using xSNX assets to pressure the SNX price
  • In May, the protocol suffered from a similar exploit which lost the protocol $25 million in SNX tokens

The xToken team tweeted that an attacker stole about $4.5 million worth of funds from xToken’s xSNX product which lets users invest in Synthetix based assets.

How did this happen?

A postmortem posted by the project explained that the malicious actor took out a flash loan from decentralized exchange dYdX for 25,000 ETH to carry out the attack. They then used the Ether as collateral to borrow 1.5 million Synthetix Government Tokens (SNX) via Aave and Bancor.

These were exchanged for 6.5 million USDC on the decentralized exchange Kyber, which pressured the price of SNX. The attacker then exchanged the USDC for Synthetix’s USD token (sUSD) before exploiting a vulnerability in xToken’s contracts to buy 614,000 SNX at an artificially depressed price of 811,000 sUSD.

Not the first time xToken has been exploited

The incident is the second time xToken has been exploited this year. In May, the protocol suffered from a similar exploit as a malicious actor manipulated Kyber DEX, taking advantage of xToken’s price calculation. The breach cost the protocol around $25 million in SNX tokens at the time.

The xToken team said it will work in the coming weeks to calculate investor losses and structure a compensation program based on the use of its native token.

Sign up for our FREE mailing list

Join 12,590 others now and get actionable research and analysis sent directly to your inbox.

Post a Comment


Delivered daily, straight to your inbox.