$24 500 000 USD
DESCRIPTION OF EVENTS
xToken is "a decentralized passive investing protocol," "a project which automates staking and liquidity strategies and wraps them into ERC-20 tokens." "xToken offers eight tokens, such as xSNXa and xBNTa, that offer exposure to returns from DeFi projects. They come in the form of Ethereum-based tokens that are wrapped around certain DeFi tokens, such as SNX and BNT. They give you some of the same benefits as the underlying token, such as staking rewards, but without having to leave the Ethereum ecosystem."
"The xSNXa and xBNTa token contracts, for which xToken automates the staking strategies as well as governance decisions for the latter, were exploited in a single transaction." "Over $24 million was taken from the yield-bearing liquidity pools for Synthetix (SNX) and Bancor (BNT)." "The attacker took $24.5 million using flash loans." "[T]he attack was carried out using two exploits, both targeting tokens in the xToken ecosystem." "The entity behind the attack employed flash loans to steal a range of tokens and has already sold most of the tokens for ether (ETH)."
"First, the entity liable used a flash loan to lend 61,800 ETH ($270 million). They used it to manage Kyber Network’s oracle — which relates its blockchain to real-world data. This is to mint lots of xSNXa tokens, exchanging for Ether and Synthetix (SNX)."
"Secondly, they discovered a fault in the xBNTa contract. As a wrapped token, its minting can only take place using BNT tokens. However, xBNTa failed to check this. So, they were able to use a different token to mint these xBNTa tokens, which they could sell."
"Using this scheme, the attacker got 2,400 ETH ($10.3 million), 781,000 BNT ($6.2 million), 407,000 SNX ($8 million) and 1.9 billion xBNTa tokens. So far, they have already sold all of the tokens, except for the xBNTa, for a total of 5,600 Ether ($24.5 million)."
"[T]he attacker paid 5 ETH ($21,900) in fees to carry out the attack. The reason the cost was high was because Ethereum transaction fees are based on how complex the transaction is— and this was a very complex transaction."
"xToken acknowledged the hack and promised additional information about the incident, tweeting: "We owe the community an explanation and will be providing another update shortly.""
"The team had proposed 1% of the XTK token supply to be vested over a year to compensate the victims of the hack. However, the latest proposal seeks fairer restitution for those that lost funds."
"The proposal reflects a consensus view from victims in that fair restitution would be 2% of the XTK supply, vested over one year. It continued to state that the pre-hack market valuation for XTK was around $500 million in fully diluted value (FDV)."
"It added that the $25 million lost is around 5% of this prior FDV and 2% is a fair compromise between the fault of the project resulting in the loss of funds, and the inherent risk participants should have expected."
"There is a total supply of one billion XTK tokens therefore 20 million will be allocated for compensation. At the time of writing, these would be valued at a total of $3.84 million, which is just 15% or so of the amount lost. XTK prices have dumped 50% since the exploit last week."
The xToken attack surprised many people, however it's not surprising given the number of decentralized finance attacks.
Affected users will get a small fraction of what they lost, though at least they get something.
HOW COULD THIS HAVE BEEN PREVENTED?
Decentralized finance is impossible to prove as secure. On the other hand, offline multi-signature storage is a model which has not yet been breached.
Rekt - Leaderboard (May 13)
Rekt - XToken - REKT (May 16)
xToken DeFi Project Hacked For Over $25M - The Defiant - DeFi News (May 17)
xToken Proposes Compensation After $25M DeFi Hack - BeInCrypto (May 17)
xToken Market (May 17)
DeFi Protocol XToken Suffers $24.5 Million Exploit (May 17)
@xtokenmarket Twitter (May 17)
xToken price today, XTK live marketcap, chart, and info | CoinMarketCap (May 17)
Attacker uses flash loans in $24.5 million exploit of DeFi protocol xToken (May 17)
SlowMist Hacked - SlowMist Zone (May 18)
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11)
Initial Report On Xbnta Xsnxa Exploit (Aug 11)
@frankresearcher Twitter (Aug 11)
Rekt - XToken - REKT (Aug 11)
CertiK Blockchain Security Leaderboard (Jun 1)