XToken Breached: Difference between revisions
(Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/xtokenbreached.php}} thumb|XTokenThe xToken attack surprised many people, however it's not surprising given the number of decentralized finance attacks. Affected users will get a small fraction of what they lost, though at least they get something. This is a global/international case not involving a specific country. == About XToken == xToken is "a decentralized passive inve...") |
No edit summary |
||
| Line 1: | Line 1: | ||
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/xtokenbreached.php}} | {{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/xtokenbreached.php}} | ||
{{Unattributed Citations}} | |||
[[File:Xtoken.jpg|thumb|XToken]]The xToken attack surprised many people, however it's not surprising given the number of decentralized finance attacks. | [[File:Xtoken.jpg|thumb|XToken]]The xToken attack surprised many people, however it's not surprising given the number of decentralized finance attacks. | ||
| Line 6: | Line 7: | ||
This is a global/international case not involving a specific country. | This is a global/international case not involving a specific country. | ||
<ref name="rekt-513" /><ref name="rekt-665" /><ref name="thedefiant-666" /><ref name="beincrypto-667" /><ref name="xtokenmarket-668" /><ref name="investingdotcom-669" /><ref name="xtokenmarkettwitter-670" /><ref name="coinmarketcap-671" /><ref name="theblockcrypto-672" /><ref name="slowmisthacked-678" /><ref name="openblocksecgithub-2342" /><ref name="xtokenmedium-2377" /><ref name="frankresearchertwitter-2378" /><ref name="rektnews-2379" /><ref name="certik-1251" /> | |||
== About XToken == | == About XToken == | ||
| Line 45: | Line 47: | ||
Don't Include: | Don't Include: | ||
* Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed. | * Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed. | ||
* Anything that wasn't reasonably knowable at the time of the event. | * Anything that wasn't reasonably knowable at the time of the event. | ||
| Line 67: | Line 68: | ||
|- | |- | ||
|May 12th, 2021 12:00:00 AM | |May 12th, 2021 12:00:00 AM | ||
| | |Main Event | ||
| | |Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | ||
|- | |- | ||
| | | | ||
| Line 80: | Line 77: | ||
== Total Amount Lost == | == Total Amount Lost == | ||
The total amount lost | The total amount lost has been estimated at $24,500,000 USD. | ||
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie? | How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie? | ||
| Line 91: | Line 88: | ||
== Total Amount Recovered == | == Total Amount Recovered == | ||
There do not appear to have been any funds recovered in this case. | |||
What funds were recovered? What funds were reimbursed for those affected users? | What funds were recovered? What funds were reimbursed for those affected users? | ||
| Line 102: | Line 99: | ||
== References == | == References == | ||
[https://rekt.news/leaderboard/ Rekt - Leaderboard] (May 12) | <references><ref name="rekt-513">[https://rekt.news/leaderboard/ Rekt - Leaderboard] (May 12, 2021)</ref> | ||
[https://rekt.news/xtoken-rekt/ Rekt - XToken - REKT] (May 15) | <ref name="rekt-665">[https://rekt.news/xtoken-rekt/ Rekt - XToken - REKT] (May 15, 2021)</ref> | ||
[https://thedefiant.io/xtoken-defi-project-hacked-for-over-25m/ xToken DeFi Project Hacked For Over $25M - The Defiant - DeFi News] (May 16) | <ref name="thedefiant-666">[https://thedefiant.io/xtoken-defi-project-hacked-for-over-25m/ xToken DeFi Project Hacked For Over $25M - The Defiant - DeFi News] (May 16, 2021)</ref> | ||
[https://beincrypto.com/xtoken-proposes-compensation-after-25m-defi-hack/ xToken Proposes Compensation After $25M DeFi Hack - BeInCrypto] (May 16) | <ref name="beincrypto-667">[https://beincrypto.com/xtoken-proposes-compensation-after-25m-defi-hack/ xToken Proposes Compensation After $25M DeFi Hack - BeInCrypto] (May 16, 2021)</ref> | ||
[https://xtoken.market/ xToken Market] (May 16) | <ref name="xtokenmarket-668">[https://xtoken.market/ xToken Market] (May 16, 2021)</ref> | ||
[https://www.investing.com/news/cryptocurrency-news/defi-protocol-xtoken-suffers-245-million-exploit-2507531 DeFi Protocol XToken Suffers $24.5 Million Exploit] (May 16) | <ref name="investingdotcom-669">[https://www.investing.com/news/cryptocurrency-news/defi-protocol-xtoken-suffers-245-million-exploit-2507531 DeFi Protocol XToken Suffers $24.5 Million Exploit] (May 16, 2021)</ref> | ||
[https://twitter.com/xtokenmarket/status/1392483368135233544 @xtokenmarket Twitter] (May 16) | <ref name="xtokenmarkettwitter-670">[https://twitter.com/xtokenmarket/status/1392483368135233544 @xtokenmarket Twitter] (May 16, 2021)</ref> | ||
[https://coinmarketcap.com/currencies/xtoken/ xToken price today, XTK live marketcap, chart, and info | CoinMarketCap] (May 16) | <ref name="coinmarketcap-671">[https://coinmarketcap.com/currencies/xtoken/ xToken price today, XTK live marketcap, chart, and info | CoinMarketCap] (May 16, 2021)</ref> | ||
[https://www.theblockcrypto.com/post/104667/defi-protocol-xtoken-exploit-attack Attacker uses flash loans in $24.5 million exploit of DeFi protocol xToken] (May 16) | <ref name="theblockcrypto-672">[https://www.theblockcrypto.com/post/104667/defi-protocol-xtoken-exploit-attack Attacker uses flash loans in $24.5 million exploit of DeFi protocol xToken] (May 16, 2021)</ref> | ||
[https://hacked.slowmist.io/en/?c=ETH%20DApp SlowMist Hacked - SlowMist Zone] (May 17) | <ref name="slowmisthacked-678">[https://hacked.slowmist.io/en/?c=ETH%20DApp SlowMist Hacked - SlowMist Zone] (May 17, 2021)</ref> | ||
[https://github.com/openblocksec/blocksec-incidents/blob/main/defi/2021.md blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub] (Aug 10) | <ref name="openblocksecgithub-2342">[https://github.com/openblocksec/blocksec-incidents/blob/main/defi/2021.md blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub] (Aug 10, 2021)</ref> | ||
[https://medium.com/xtoken/initial-report-on-xbnta-xsnxa-exploit-d6e784387f8e Initial Report On Xbnta Xsnxa Exploit] (Aug 10) | <ref name="xtokenmedium-2377">[https://medium.com/xtoken/initial-report-on-xbnta-xsnxa-exploit-d6e784387f8e Initial Report On Xbnta Xsnxa Exploit] (Aug 10, 2021)</ref> | ||
[https://twitter.com/frankresearcher/status/1392515198674681863 @frankresearcher Twitter] (Aug 10) | <ref name="frankresearchertwitter-2378">[https://twitter.com/frankresearcher/status/1392515198674681863 @frankresearcher Twitter] (Aug 10, 2021)</ref> | ||
[https://www.rekt.news/xtoken-rekt/ Rekt - XToken - REKT] (Aug 10) | <ref name="rektnews-2379">[https://www.rekt.news/xtoken-rekt/ Rekt - XToken - REKT] (Aug 10, 2021)</ref> | ||
[https://www.certik.org/ CertiK Blockchain Security Leaderboard] (May 31) | <ref name="certik-1251">[https://www.certik.org/ CertiK Blockchain Security Leaderboard] (May 31, 2021)</ref></references> | ||
Revision as of 17:52, 18 February 2023
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
The xToken attack surprised many people, however it's not surprising given the number of decentralized finance attacks.
Affected users will get a small fraction of what they lost, though at least they get something.
This is a global/international case not involving a specific country. [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15]
About XToken
xToken is "a decentralized passive investing protocol," "a project which automates staking and liquidity strategies and wraps them into ERC-20 tokens." "xToken offers eight tokens, such as xSNXa and xBNTa, that offer exposure to returns from DeFi projects. They come in the form of Ethereum-based tokens that are wrapped around certain DeFi tokens, such as SNX and BNT. They give you some of the same benefits as the underlying token, such as staking rewards, but without having to leave the Ethereum ecosystem."
"The xSNXa and xBNTa token contracts, for which xToken automates the staking strategies as well as governance decisions for the latter, were exploited in a single transaction." "Over $24 million was taken from the yield-bearing liquidity pools for Synthetix (SNX) and Bancor (BNT)." "The attacker took $24.5 million using flash loans." "[T]he attack was carried out using two exploits, both targeting tokens in the xToken ecosystem." "The entity behind the attack employed flash loans to steal a range of tokens and has already sold most of the tokens for ether (ETH)."
"First, the entity liable used a flash loan to lend 61,800 ETH ($270 million). They used it to manage Kyber Network’s oracle — which relates its blockchain to real-world data. This is to mint lots of xSNXa tokens, exchanging for Ether and Synthetix (SNX)."
"Secondly, they discovered a fault in the xBNTa contract. As a wrapped token, its minting can only take place using BNT tokens. However, xBNTa failed to check this. So, they were able to use a different token to mint these xBNTa tokens, which they could sell."
"Using this scheme, the attacker got 2,400 ETH ($10.3 million), 781,000 BNT ($6.2 million), 407,000 SNX ($8 million) and 1.9 billion xBNTa tokens. So far, they have already sold all of the tokens, except for the xBNTa, for a total of 5,600 Ether ($24.5 million)."
"[T]he attacker paid 5 ETH ($21,900) in fees to carry out the attack. The reason the cost was high was because Ethereum transaction fees are based on how complex the transaction is— and this was a very complex transaction."
"xToken acknowledged the hack and promised additional information about the incident, tweeting: "We owe the community an explanation and will be providing another update shortly.""
"The team had proposed 1% of the XTK token supply to be vested over a year to compensate the victims of the hack. However, the latest proposal seeks fairer restitution for those that lost funds."
"The proposal reflects a consensus view from victims in that fair restitution would be 2% of the XTK supply, vested over one year. It continued to state that the pre-hack market valuation for XTK was around $500 million in fully diluted value (FDV)."
"It added that the $25 million lost is around 5% of this prior FDV and 2% is a fair compromise between the fault of the project resulting in the loss of funds, and the inherent risk participants should have expected."
"There is a total supply of one billion XTK tokens therefore 20 million will be allocated for compensation. At the time of writing, these would be valued at a total of $3.84 million, which is just 15% or so of the amount lost. XTK prices have dumped 50% since the exploit last week."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| May 12th, 2021 12:00:00 AM | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Total Amount Lost
The total amount lost has been estimated at $24,500,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Prevention Policies
Decentralized finance is impossible to prove as secure. On the other hand, offline multi-signature storage is a model which has not yet been breached.
References
- ↑ Rekt - Leaderboard (May 12, 2021)
- ↑ Rekt - XToken - REKT (May 15, 2021)
- ↑ xToken DeFi Project Hacked For Over $25M - The Defiant - DeFi News (May 16, 2021)
- ↑ xToken Proposes Compensation After $25M DeFi Hack - BeInCrypto (May 16, 2021)
- ↑ xToken Market (May 16, 2021)
- ↑ DeFi Protocol XToken Suffers $24.5 Million Exploit (May 16, 2021)
- ↑ @xtokenmarket Twitter (May 16, 2021)
- ↑ xToken price today, XTK live marketcap, chart, and info | CoinMarketCap (May 16, 2021)
- ↑ Attacker uses flash loans in $24.5 million exploit of DeFi protocol xToken (May 16, 2021)
- ↑ SlowMist Hacked - SlowMist Zone (May 17, 2021)
- ↑ blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 10, 2021)
- ↑ Initial Report On Xbnta Xsnxa Exploit (Aug 10, 2021)
- ↑ @frankresearcher Twitter (Aug 10, 2021)
- ↑ Rekt - XToken - REKT (Aug 10, 2021)
- ↑ CertiK Blockchain Security Leaderboard (May 31, 2021)