XToken Breached: Difference between revisions
(Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/xtokenbreached.php}} thumb|XTokenThe xToken attack surprised many people, however it's not surprising given the number of decentralized finance attacks. Affected users will get a small fraction of what they lost, though at least they get something. This is a global/international case not involving a specific country. == About XToken == xToken is "a decentralized passive inve...") |
No edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/xtokenbreached.php}} | {{Imported Case Study 2|source=https://www.quadrigainitiative.com/casestudy/xtokenbreached.php}} | ||
{{Unattributed Sources}} | |||
[[File:Xtoken.jpg|thumb|XToken]]The xToken attack surprised many people, however it's not surprising given the number of decentralized finance attacks. | [[File:Xtoken.jpg|thumb|XToken]]The xToken attack surprised many people, however it's not surprising given the number of decentralized finance attacks. | ||
| Line 5: | Line 6: | ||
Affected users will get a small fraction of what they lost, though at least they get something. | Affected users will get a small fraction of what they lost, though at least they get something. | ||
This is a global/international case not involving a specific country. | This is a global/international case not involving a specific country.<ref name="rekt-513" /><ref name="rekt-665" /><ref name="thedefiant-666" /><ref name="beincrypto-667" /><ref name="xtokenmarket-668" /><ref name="investingdotcom-669" /><ref name="xtokenmarkettwitter-670" /><ref name="coinmarketcap-671" /><ref name="theblockcrypto-672" /><ref name="slowmisthacked-678" /><ref name="openblocksecgithub-2342" /><ref name="xtokenmedium-2377" /><ref name="frankresearchertwitter-2378" /><ref name="rektnews-2379" /><ref name="certik-1251" /> | ||
== About XToken == | == About XToken == | ||
| Line 45: | Line 46: | ||
Don't Include: | Don't Include: | ||
* Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed. | * Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed. | ||
* Anything that wasn't reasonably knowable at the time of the event. | * Anything that wasn't reasonably knowable at the time of the event. | ||
| Line 66: | Line 66: | ||
!Description | !Description | ||
|- | |- | ||
|May 12th, 2021 | |May 12th, 2021 | ||
| | |Main Event | ||
| | |Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | ||
|- | |- | ||
| | | | ||
| Line 78: | Line 74: | ||
| | | | ||
|} | |} | ||
== Technical Details == | |||
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited? | |||
== Total Amount Lost == | == Total Amount Lost == | ||
The total amount lost | The total amount lost has been estimated at $24,500,000 USD. | ||
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie? | How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie? | ||
| Line 91: | Line 90: | ||
== Total Amount Recovered == | == Total Amount Recovered == | ||
There do not appear to have been any funds recovered in this case. | |||
What funds were recovered? What funds were reimbursed for those affected users? | What funds were recovered? What funds were reimbursed for those affected users? | ||
| Line 97: | Line 96: | ||
== Ongoing Developments == | == Ongoing Developments == | ||
What parts of this case are still remaining to be concluded? | What parts of this case are still remaining to be concluded? | ||
== General Prevention Policies == | |||
Decentralized finance is impossible to prove as secure. On the other hand, offline multi-signature storage is a model which has not yet been breached. | |||
== Individual Prevention Policies == | |||
{{Prevention:Individuals:Placeholder}} | |||
{{Prevention:Individuals:End}} | |||
== Platform Prevention Policies == | |||
{{Prevention:Platforms:Placeholder}} | |||
{{Prevention:Platforms:End}} | |||
== Prevention Policies == | == Regulatory Prevention Policies == | ||
{{Prevention:Regulators:Placeholder}} | |||
{{Prevention:Regulators:End}} | |||
== References == | == References == | ||
[https://rekt.news/leaderboard/ Rekt - Leaderboard] (May | <references><ref name="rekt-513">[https://rekt.news/leaderboard/ Rekt - Leaderboard] (May 13, 2021)</ref> | ||
[https://rekt.news/xtoken-rekt/ Rekt - XToken - REKT] (May | <ref name="rekt-665">[https://rekt.news/xtoken-rekt/ Rekt - XToken - REKT] (May 16, 2021)</ref> | ||
[https://thedefiant.io/xtoken-defi-project-hacked-for-over-25m/ xToken DeFi Project Hacked For Over $25M - The Defiant - DeFi News] (May | <ref name="thedefiant-666">[https://thedefiant.io/xtoken-defi-project-hacked-for-over-25m/ xToken DeFi Project Hacked For Over $25M - The Defiant - DeFi News] (May 17, 2021)</ref> | ||
[https://beincrypto.com/xtoken-proposes-compensation-after-25m-defi-hack/ xToken Proposes Compensation After $25M DeFi Hack - BeInCrypto] (May | <ref name="beincrypto-667">[https://beincrypto.com/xtoken-proposes-compensation-after-25m-defi-hack/ xToken Proposes Compensation After $25M DeFi Hack - BeInCrypto] (May 17, 2021)</ref> | ||
[https://xtoken.market/ xToken Market] (May | <ref name="xtokenmarket-668">[https://xtoken.market/ xToken Market] (May 17, 2021)</ref> | ||
[https://www.investing.com/news/cryptocurrency-news/defi-protocol-xtoken-suffers-245-million-exploit-2507531 DeFi Protocol XToken Suffers $24.5 Million Exploit] (May | <ref name="investingdotcom-669">[https://www.investing.com/news/cryptocurrency-news/defi-protocol-xtoken-suffers-245-million-exploit-2507531 DeFi Protocol XToken Suffers $24.5 Million Exploit] (May 17, 2021)</ref> | ||
[https://twitter.com/xtokenmarket/status/1392483368135233544 @xtokenmarket Twitter] (May | <ref name="xtokenmarkettwitter-670">[https://twitter.com/xtokenmarket/status/1392483368135233544 @xtokenmarket Twitter] (May 17, 2021)</ref> | ||
[https://coinmarketcap.com/currencies/xtoken/ xToken price today, XTK live marketcap, chart, and info | CoinMarketCap] (May | <ref name="coinmarketcap-671">[https://coinmarketcap.com/currencies/xtoken/ xToken price today, XTK live marketcap, chart, and info | CoinMarketCap] (May 17, 2021)</ref> | ||
[https://www.theblockcrypto.com/post/104667/defi-protocol-xtoken-exploit-attack Attacker uses flash loans in $24.5 million exploit of DeFi protocol xToken] (May | <ref name="theblockcrypto-672">[https://www.theblockcrypto.com/post/104667/defi-protocol-xtoken-exploit-attack Attacker uses flash loans in $24.5 million exploit of DeFi protocol xToken] (May 17, 2021)</ref> | ||
[https://hacked.slowmist.io/en/?c=ETH%20DApp SlowMist Hacked - SlowMist Zone] (May | <ref name="slowmisthacked-678">[https://hacked.slowmist.io/en/?c=ETH%20DApp SlowMist Hacked - SlowMist Zone] (May 18, 2021)</ref> | ||
[https://github.com/openblocksec/blocksec-incidents/blob/main/defi/2021.md blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub] (Aug | <ref name="openblocksecgithub-2342">[https://github.com/openblocksec/blocksec-incidents/blob/main/defi/2021.md blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub] (Aug 11, 2021)</ref> | ||
[https://medium.com/xtoken/initial-report-on-xbnta-xsnxa-exploit-d6e784387f8e Initial Report On Xbnta Xsnxa Exploit] (Aug | <ref name="xtokenmedium-2377">[https://medium.com/xtoken/initial-report-on-xbnta-xsnxa-exploit-d6e784387f8e Initial Report On Xbnta Xsnxa Exploit] (Aug 11, 2021)</ref> | ||
[https://twitter.com/frankresearcher/status/1392515198674681863 @frankresearcher Twitter] (Aug | <ref name="frankresearchertwitter-2378">[https://twitter.com/frankresearcher/status/1392515198674681863 @frankresearcher Twitter] (Aug 11, 2021)</ref> | ||
[https://www.rekt.news/xtoken-rekt/ Rekt - XToken - REKT] (Aug | <ref name="rektnews-2379">[https://www.rekt.news/xtoken-rekt/ Rekt - XToken - REKT] (Aug 11, 2021)</ref> | ||
[https://www.certik.org/ CertiK Blockchain Security Leaderboard] ( | <ref name="certik-1251">[https://www.certik.org/ CertiK Blockchain Security Leaderboard] (Jun 1, 2021)</ref></references> | ||
Latest revision as of 17:50, 2 May 2023
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
The xToken attack surprised many people, however it's not surprising given the number of decentralized finance attacks.
Affected users will get a small fraction of what they lost, though at least they get something.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15]
About XToken
xToken is "a decentralized passive investing protocol," "a project which automates staking and liquidity strategies and wraps them into ERC-20 tokens." "xToken offers eight tokens, such as xSNXa and xBNTa, that offer exposure to returns from DeFi projects. They come in the form of Ethereum-based tokens that are wrapped around certain DeFi tokens, such as SNX and BNT. They give you some of the same benefits as the underlying token, such as staking rewards, but without having to leave the Ethereum ecosystem."
"The xSNXa and xBNTa token contracts, for which xToken automates the staking strategies as well as governance decisions for the latter, were exploited in a single transaction." "Over $24 million was taken from the yield-bearing liquidity pools for Synthetix (SNX) and Bancor (BNT)." "The attacker took $24.5 million using flash loans." "[T]he attack was carried out using two exploits, both targeting tokens in the xToken ecosystem." "The entity behind the attack employed flash loans to steal a range of tokens and has already sold most of the tokens for ether (ETH)."
"First, the entity liable used a flash loan to lend 61,800 ETH ($270 million). They used it to manage Kyber Network’s oracle — which relates its blockchain to real-world data. This is to mint lots of xSNXa tokens, exchanging for Ether and Synthetix (SNX)."
"Secondly, they discovered a fault in the xBNTa contract. As a wrapped token, its minting can only take place using BNT tokens. However, xBNTa failed to check this. So, they were able to use a different token to mint these xBNTa tokens, which they could sell."
"Using this scheme, the attacker got 2,400 ETH ($10.3 million), 781,000 BNT ($6.2 million), 407,000 SNX ($8 million) and 1.9 billion xBNTa tokens. So far, they have already sold all of the tokens, except for the xBNTa, for a total of 5,600 Ether ($24.5 million)."
"[T]he attacker paid 5 ETH ($21,900) in fees to carry out the attack. The reason the cost was high was because Ethereum transaction fees are based on how complex the transaction is— and this was a very complex transaction."
"xToken acknowledged the hack and promised additional information about the incident, tweeting: "We owe the community an explanation and will be providing another update shortly.""
"The team had proposed 1% of the XTK token supply to be vested over a year to compensate the victims of the hack. However, the latest proposal seeks fairer restitution for those that lost funds."
"The proposal reflects a consensus view from victims in that fair restitution would be 2% of the XTK supply, vested over one year. It continued to state that the pre-hack market valuation for XTK was around $500 million in fully diluted value (FDV)."
"It added that the $25 million lost is around 5% of this prior FDV and 2% is a fair compromise between the fault of the project resulting in the loss of funds, and the inherent risk participants should have expected."
"There is a total supply of one billion XTK tokens therefore 20 million will be allocated for compensation. At the time of writing, these would be valued at a total of $3.84 million, which is just 15% or so of the amount lost. XTK prices have dumped 50% since the exploit last week."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| May 12th, 2021 | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $24,500,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
Decentralized finance is impossible to prove as secure. On the other hand, offline multi-signature storage is a model which has not yet been breached.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Rekt - Leaderboard (May 13, 2021)
- ↑ Rekt - XToken - REKT (May 16, 2021)
- ↑ xToken DeFi Project Hacked For Over $25M - The Defiant - DeFi News (May 17, 2021)
- ↑ xToken Proposes Compensation After $25M DeFi Hack - BeInCrypto (May 17, 2021)
- ↑ xToken Market (May 17, 2021)
- ↑ DeFi Protocol XToken Suffers $24.5 Million Exploit (May 17, 2021)
- ↑ @xtokenmarket Twitter (May 17, 2021)
- ↑ xToken price today, XTK live marketcap, chart, and info | CoinMarketCap (May 17, 2021)
- ↑ Attacker uses flash loans in $24.5 million exploit of DeFi protocol xToken (May 17, 2021)
- ↑ SlowMist Hacked - SlowMist Zone (May 18, 2021)
- ↑ blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
- ↑ Initial Report On Xbnta Xsnxa Exploit (Aug 11, 2021)
- ↑ @frankresearcher Twitter (Aug 11, 2021)
- ↑ Rekt - XToken - REKT (Aug 11, 2021)
- ↑ CertiK Blockchain Security Leaderboard (Jun 1, 2021)