Hackers withdrew $ 24.5 million tokens from the DeFi xToken protocol

On Wednesday, May 12, the xToken decentralized finance protocol was hacked. With the help of quick loans, hackers were able to withdraw various tokens from the project for a total of $ 24.5 million.

The xToken protocol offers several tokens, including xSNXa and xBNTa, which are “wrappers” over other tokens that take advantage of the functionality of the original asset within the Ethereum ecosystem.

The attackers received an instant loan of 61,800 ETH ($ 270 million) and used these funds to manipulate the price of the Kyber Network oracle in order to issue a significant amount of xSNXa tokens and sell them for ETH and SNX.

The hackers also took advantage of another project vulnerability found in the xBNTa token contract. The token should only be issued using BNT, however there was a bug in the code. As a result, xBNTa could be issued using other tokens, which the attackers took advantage of.

“The attackers were smart enough (or close enough to the project’s developers) to exploit two different vulnerabilities at the same time,” said Igor Igamberdiev, an analyst at The Block Research.

The hackers received 2,400 ETH ($ 10.3 million), 781,000 BNT ($ 6.2 million), 407,000 SNX ($ 8 million) and 1.9 billion xBNTa. All tokens, with the exception of xBNTa, were sold for 5,600 ETH ($ 24.5 million). Interestingly, the commission paid by the hackers for the transaction was 5 ETH ($ 21,900) – commissions in the Ethereum network depend on the complexity of the operation, and in this case the transaction was very complex and voluminous.

Earlier this week, it was reported that one of the DeFi Rare Capital protocol liquidity pools was hacked and the attackers withdrew more than 2,600 ETH.