- DeFi protocol xToken suffered from an exploit.
- The attacker took $24.5 million using flash loans.
- The attack involved using two exploits, targeting tokens in the xToken ecosystem.
Decentralized finance (DeFi) protocol xToken announced it faced a massive exploitation on Wednesday. Notably, the attacker took $24.5 million using flash loans.
xSNXa and xBNTa contracts have been exploited. Minting paused on all contracts as we investigate further.
Liquidity pools have been drained, however most SNX and BNT remain in xToken contracts.
We owe the community an explanation and will be providing another update shortly
— xToken (@xtokenmarket) May 12, 2021
Flash loans are blockchain-based loans through which a quantity of crypto is borrowed and repaid in the same transaction. As in this case, an attacker can use them to access large amounts of capital at a cheap rate because they can immediately pay the crypto.
About the attack, it was carried out using two exploits, both targeting tokens in the xToken ecosystem.
First, the entity liable used a flash loan to lend 61,800 ETH ($270 million). They used it to manage Kyber Network’s oracle — which relates its blockchain to real-world data. This is to mint lots of xSNXa tokens, exchanging for Ether and Synthetix (SNX).
Secondly, they discovered a fault in the xBNTa contract. As a wrapped token, its minting can only take place using BNT tokens. However, xBNTa failed to check this. So, they were able to use a different token to mint these xBNTa tokens, which they could sell.
Using this scheme, the attacker got 2,400 ETH ($10.3 million), 781,000 BNT ($6.2 million), 407,000 SNX ($8 million) and 1.9 billion xBNTa tokens. So far, they have already sold all of the tokens, except for the xBNTa, for a total of 5,600 Ether ($24.5 million).
Not just this, but the attacker paid 5 ETH ($21,900) in fees to carry out the attack. The reason the cost was high was because Ethereum transaction fees are based on how complex the transaction is— and this was a very complex transaction.