DeFi Project xToken Suffers a Major Exploit of Around $4.5 Million

xToken suffered a second major exploit of almost $4.5 million. This follows the latest attack that targeted the xToken in May.


DeFi Project xToken Suffers a Major Exploit of Around $4.5 Million
DeFi Project xToken | Image: Optimisus

On August 29, the DeFi project xToken announced on Twitter it has suffered another major exploit after hackers found a vulnerability in its xSNX product.


The xToken team stated that the hackers drained approximately $4.5 million worth of digital assets from xSNX products. These products let users get publicity for Synthetix-based assets without mixing with the protocol’s complex smart contracts.


The team took it to their official medium blog to explain the situation. They said,


"On 29 August at 04:43 UTC, a vulnerability in our xSNX contract was exploited. We estimate the loss to holders at $4.5 million. We are incredibly disappointed in ourselves and deeply sorry to our community."

According to DeFi Project xToken, the attacker was able to call the "callFunction" function which was the source of the vulnerability.


The team also added that the function should only have been callable from dydx’s SoloMargin flashloan contract that they integrated to enhance fund offering on rebalances. So, a false claim statement lets the function be publicly callable.


Moreover, the team admitted that they made a mistake with the coding. They said,


"We mistakenly used require(sender==address(this) when we should have used require(msg.sender==soloMarginAddress)."

In addition, they stated that the attacker then changed all actions, swapping back to ETH and repaying loans. "The source of the value extraction was that the attacker used xSNX assets to pressure SNX price and create profitable external arbitrage opportunities," xToken said.


Aside from this, the xToken team noted they will no longer stake SNX from the xSNX contract. And, they are pushing a contract upgrade early this week that will enable them to swap all of the assets in the contract into ETH to let maximum value at redemption.


Even more, they added they are working this week to write accurate snapshot scripts to accurately calculate investor losses. "If you redeemed post-exploit, you will still receive compensation," they said. Beyond this, they will need a few days to work out the details of this script and ensure efficiency.


Lastly, they thank their community for being grateful for the positive and supportive energy in their Discord.