DeFi xToken protocol hacked for the second time in a year

The xToken decentralized finance project has been hacked for the second time in a year. Attackers discovered a vulnerability in the xSNX smart contract and withdrew $ 4.5 million worth of tokens.

The xSNX product of the xToken project allows users to access Synthetix-based assets without having to interact with the platform’s complex smart contracts. After the hack, the xToken developers announced that they would remove access to the xSNX product.

To carry out the hack, the attacker took an instant loan on the dYdX decentralized exchange in the amount of 25,000 ETH ($ 81 million) and used these funds as collateral to obtain 1.5 million SNX tokens through the Aave and Bancor protocols.

The tokens were exchanged for 6.5 million USDC through the Kyber decentralized exchange, which put powerful pressure on the SNX price. The attacker then exchanged the UDSC for Synthetix-based sUSD tokens, which were used to buy 614,000 SNX in the xToken pool for 811,000 sUSD. Thus, the hacker received SNX tokens worth more than $ 7 million.

The xToken team stated that no similar vulnerabilities were found in other platform products. The xSNX contracts are the most complex on the platform, and there are too many dependencies in the current implementation of the product, which provides a basis for various vulnerabilities. Therefore, it was decided to close this product.

“We will devote each day to restoring community trust in our platform.” highlighted developers.

As a reminder, in May of this year, the xToken protocol was hacked in a similar way. With the help of quick loans, hackers were able to withdraw various tokens from the project for a total of $ 24.5 million.