{"id":332189,"date":"2021-08-30T08:41:55","date_gmt":"2021-08-30T05:41:55","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/beleaguered-defi-project-xtoken-suffers-second-major-exploit-since-may\/"},"modified":"2021-08-30T08:41:55","modified_gmt":"2021-08-30T05:41:55","slug":"beleaguered-defi-project-xtoken-suffers-second-major-exploit-since-may","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/beleaguered-defi-project-xtoken-suffers-second-major-exploit-since-may\/","title":{"rendered":"# Beleaguered DeFi project xToken suffers second major exploit since May"},"content":{"rendered":"<p>&#8220;<strong># Beleaguered DeFi project xToken suffers second major exploit since May <\/strong>&#8221;<br \/>\n<img decoding=\"async\" src=\"https:\/\/images.cointelegraph.com\/images\/840_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjEtMDgvOTQ3ZWQ3YjAtNWRmYS00MGYyLTg5MGYtMmJmODVmZDJhY2I2LmpwZw==.jpg\" \/><\/p>\n<div class=\"post-content\" data-v-128018ef>The decentralized finance project xToken has suffered another exploit over the weekend after hackers discovered a vulnerability in the smart contracts for its xSNX product.<\/p>\n<p>On Aug. 29, the xToken team reported that the attack had resulted in roughly $4.5 million worth of funds being drained from xToken\u2019s xSNX product \u2014 which allows users to gain exposure to Synthetix-based assets without directly interacting with the protocol\u2019s complex smart contracts. <\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Our xSNX contract was exploited. Our other contracts do not have similar vulnerabilities.<\/p>\n<p>Every day going forward from here will be focused on rebuilding trust with our community.<\/p>\n<p>We&#8217;re assessing the situation and will update with next steps in the coming hours<\/p>\n<p>\u2014 xToken (@xtokenmarket) <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/xtokenmarket\/status\/1431886520214904846?ref_src=twsrc%5Etfw\">August 29, 2021<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>The project published a<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/medium.com\/xtoken\/xsnx-post-mortem-666d35071f38\"> post mortem<\/a> a few hours later, explaining that the malicious actor had taken out a flash loan from the dYdX decentralized exchange (DEX) for 25,000 ETH (roughly $81 million) to carry out the attack.<\/p>\n<p>They then used the Ether as collateral to borrow 1.5 million Synthetix governance tokens (SNX) using popular DeFi money market protocol Aave, and pooled liquidity token exchange, Bancor.<\/p>\n<p>These were sw<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ed for 6.5 million USDC on decentralized exchange, Kyber, exerting downward pressure on the price of SNX. The attacker then swapped the USDC for Synthetix\u2019s USD token (sUSD), before exploiting a flaw in xToken\u2019s contracts to purchase 614,000 SNX at an artificially depressed price for 811,000 sUSD.<\/p>\n<p>At current prices, the hacker made off with $7 million worth of SNX.<\/p>\n<p>In response to the latest attack, xToken has announced it will retire the xSNX product, stating:<\/p>\n<blockquote><p>\u201cThe current xSNX implementation is by far our most complicated product, with complex dependencies and significant surface area for vulnerabilities.\u201d<\/p><\/blockquote>\n<p><strong><em>Related:<\/em><\/strong><strong><em> <\/em><\/strong><strong><em>How do DeFi protocols get hacked?<\/em><\/strong><\/p>\n<p>xToken allows users to hold interest-bearing derivatives of crypto assets like AAVE and SNX that require holders to participate in staking, governance, or other protocol interaction in order to receive yield.<\/p>\n<p>The incident is not the first time xToken has been exploited this year. In May, the protocol suffered a similar fate when a malicious actor manipulated the Kyber DEX while also simultaneously taking advantage of xToken price calculations. The breach cost the protocol around $25 million in SNX tokens at the time.<\/p>\n<p>Moving forward, the xToken team stated it will spend the coming week working to calculate investor losses and structure a compensation program based on using its native token, XTK. <\/p>\n<p>At the time of writing, XTK had dumped 45% over the past 24 hours, according to CoinGecko, and is down more than 90% from its April all-time high which preceded the first exploit. <\/p>\n<p><template data-name=\"subscription_form\" data-type=\"defi_newsletter\"><\/template><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">News<\/a> articles, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/general\/\" target=\"_blank\" rel=\"noopener\">General category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/cointelegraph.com\/news\/beleaguered-defi-project-xtoken-suffers-second-major-exploit-since-may\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;# Beleaguered DeFi project xToken suffers second major exploit since May &#8221; The decentralized finance project xToken has suffered another exploit over the weekend after hackers discovered a vulnerability in the smart contracts for its xSNX product. On Aug. 29, the xToken team reported that the attack had resulted in roughly $4.5 million worth of&#8230;<\/p>\n","protected":false},"author":1,"featured_media":332190,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/images.cointelegraph.com\/images\/1200_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjEtMDgvOTQ3ZWQ3YjAtNWRmYS00MGYyLTg5MGYtMmJmODVmZDJhY2I2LmpwZw==.jpg","fifu_image_alt":"","footnotes":""},"categories":[1],"tags":[74868,74882,4965],"class_list":["post-332189","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-defi","tag-hacks","tag-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/332189","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=332189"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/332189\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/332190"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=332189"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=332189"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=332189"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}