Attacker uses flash loans in $24.5 million exploit of DeFi protocol xToken

Quick Take

  • DeFi protocol xToken suffered an exploit today.
  • Two of its tokens were targeted and $24.5 million was taken.
  • The attacker used flash loans to carry out the exploit.

DeFi protocol xToken suffered an exploit on Wednesday, resulting in the loss of $24.5 million.

The entity behind the attack employed flash loans to steal a range of tokens and has already sold most of the tokens for ether (ETH).

xToken offers eight tokens, such as xSNXa and xBNTa, that offer exposure to returns from DeFi projects. They come in the form of Ethereum-based tokens that are wrapped around certain DeFi tokens, such as SNX and BNT. They give you some of the same benefits as the underlying token, such as staking rewards, but without having to leave the Ethereum ecosystem.

Flash loans are blockchain-based loans through which an amount of cryptocurrency is borrowed and repaid within the same transaction. They can be used to get access to large amounts of capital at a cheap rate because the crypto is repaid instantly (and if the transaction doesn’t go through, the money was never borrowed in the first place).

How did the attack happen?

The attack was carried out using two exploits, both targeting tokens in the xToken ecosystem. 

First, the entity responsible used a flash loan to borrow 61,800 ETH ($270 million). They used it to manipulate Kyber Network’s oracle — which connects its blockchain to real-world data — to mint lots of xSNXa tokens, which were then sold for ether and Synthetix (SNX).

Second, they found a weakness in the xBNTa contract. As a wrapped token, this token should only be minted using BNT tokens. The contract, however, failed to check this. So, they were able to use a different token to mint these xBNTa tokens, which they were able to sell. 

As The Block Research’s Igor Igamberdiev noted: “The attacker was smart enough (or close enough to this project) to use two different exploits for two projects’ tokens.”

The attacker made off with 2,400 ETH ($10.3 million), 781,000 BNT ($6.2 million), 407,000 SNX ($8 million) and 1.9 billion xBNTa tokens. All of the tokens have already been sold, except for the xBNTa, for a total of 5,600 ether ($24.5 million). 

The attacker paid 5 ETH ($21,900) in fees to carry out the attack. The fee was high because Ethereum transaction fees are based on the complexity of the transaction — and this was a very complex transaction.

xToken acknowledged the hack and promised additional information about the incident, tweeting: "We owe the community an explanation and will be providing another update shortly."

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.