xToken

xToken $24.5M Exploit - May 12, 2021

DeFi protocol xToken suffered an exploit on May 12, 2021, when an attacker used flash loans to take $24.5 million.

Attack Mechanism

The attack was carried out using two exploits, both targeting tokens in the xToken ecosystem.

First Exploit (xSNXa)

The entity responsible used a flash loan to borrow 61,800 ETH ($270 million) and used it to manipulate Kyber Network's oracle to mint lots of xSNXa tokens, which were then sold for ether and Synthetix (SNX).

Second Exploit (xBNTa)

They found a weakness in the xBNTa contract — as a wrapped token, this token should only be minted using BNT tokens, but the contract failed to check this, so they were able to use a different token to mint these xBNTa tokens, which they sold.

Stolen Assets

The attacker made off with:

• 2,400 ETH ($10.3 million)

• 781,000 BNT ($6.2 million)

• 407,000 SNX ($8 million)

• 1.9 billion xBNTa tokens

Platform Impact

The exploit caused a 30% decrease in the platform's TVL.

Sources

• Top 10 Flash Loan Attacks - ImmuneBytes

• xToken Exploit - The Block

• xToken Suffers $24.5M Exploit - CoinDesk

• What Is a Flash Loan Attack? - Halborn