For the second time since May, DeFi project, xToken has become the victim of an attack targeting DeFi protocols smart contracts.
In the latest attack, which occurred after hackers found a penetrable vulnerability in the smart contracts for the project’s xSNX product, it lost about $4.5 million.
The xSNX is a product of the project designed to allow users to gain exposure to Synthetix-based assets without directly interacting with the protocols complex smart contracts.
Few hours after the announcement of the attack on Aug. 29, the project’s management, amid heightened expectations, published a post mortem.
According to the Post Mortem, the malicious actor responsible for the attack took out a flash loan from the dYdX decentralized exchange (DEX) for 25,000 ETH, which is roughly the equivalent of $81 million, to carry out the attack.
The post mortem further explained that with the help of popular DeFi money market protocol Aave, and pooled liquidity token exchange, Bancor, the hackers then used the Ether as collateral to borrow 1.5 million Synthetix governance tokens (SNX).
These were then swapped for 6.5 million USDC on foremost decentralized exchange, Kyber, an action that exerted downward pressure on the price of SNX.
After this, the attacker then swapped the USDC for Synthetixs USD token (sUSD), before exploiting a flaw in xTokens contracts to purchase 614,000 SNX at an artificially depressed price for 811,000 sUSD. At current prices, the hacker made off with $7 million worth of SNX.
Speaking on the next line of actions following the attack, the project’s management revealed that it would retire the xSNX product used that led to the attack.
The current xSNX implementation is by far our most complicated product, with complex dependencies and significant surface area for vulnerabilities,”the company noted in the announcement.
The incident is not the first time xToken has been exploited this year. In May, the protocol suffered a similar fate when a malicious actor manipulated the Kyber DEX while also simultaneously taking advantage of xToken price calculations. The breach cost the protocol around $25 million in SNX tokens at the time.