The attacker withdrew assets worth about $ 25 million from the xToken decentralized financing protocol.
Our initial report on today's exploit. More details in the coming days.https://t.co/ZadHCUTqEK
— xToken (@xtokenmarket) May 12, 2021
According to the developers of the project, the attack took placeMay 12 at 17:44 Moscow time. The specialists noticed "discrepancies in price and supply" about ten minutes after the start and suspended the work of smart contracts.
Unknown immediately emptied liquidity poolsxBNTa and xSNXa. BNT and SNX tokens remained in xToken contracts. The hacker extracted 416 ETH from the xSNX contract as he holds Ethereum as part of a debt hedging strategy.
The Bancor and Balancer liquidity pools lost assets worth about $ 25 million.
The attacker took an instant loan of 61,800 ETH and then used two exploits:
- unknown used cryptocurrency formanipulation of the Kyber Network oracle, which provides SNX price data to the blockchain. He managed to issue a large number of synthetic tokens, which were then converted to ETH and SNX;
- since xBNT is a "wrapped" token, for itissue, you must pay a deposit to BNT. However, the xToken smart contract did not validate this dependency. Due to the vulnerability, the hacker used cheaper SPD tokens.
According to TheBlock analyst Igor Igamberdiev, the fact of the simultaneous use of two vulnerabilities and the speed of the attack indicate the possible participation of people close to the development of the project.
1/9
Another DeFi protocol xToken was exploited today and almost $25 million was stolen.
The attacker was smart enough (or close enough to this project) to use two different exploits for two projects' tokens.? pic.twitter.com/cCmOu1hj9g
— Igor Igamberdiev (@FrankResearcher) May 12, 2021
According to TheBlock, the hacker embezzled 2,400 ETH, 781,000 BNT, 407,000 SNX and 1.9 billion xBTNa. All tokens except xBNTa were sold for 5600 ETH.
In early May, the attacker attacked the Spartan Protocol's DeFi project and pulled about $ 30 million from its liquidity pools. He also used instant loans.
In April, the EasyFi landing protocol lost $ 6 million. Hackers gained remote access to the computer and MetaMask wallet of the project founder Ankitt Gour.
</p></p>Read this:
Hacker attacked Balancer's DeFi protocol. $ 500,000 Tokens Stolen
The hacker who stole $ 25 million with dForce got in touch with the creators of the protocol and returned part of the funds
The loser hacker spent more on cryptocurrency hacking than he stole
Hacker fully returns dForce stolen cryptocurrency for $ 25 million
Hacker cracked a wallet with 8 words of 12 from 12
Hacker started to eliminate tokens stolen from KuCoin