The xToken team tweeted that an attacker stole about $4.5 million worth of funds from xToken’s xSNX product which lets users invest in Synthetix based assets.
How did this happen?
A postmortem posted by the project explained that the malicious actor took out a flash loan from decentralized exchange dYdX for 25,000 ETH to carry out the attack. They then used the Ether as collateral to borrow 1.5 million Synthetix Government Tokens (SNX) via Aave and Bancor.
These were exchanged for 6.5 million USDC on the decentralized exchange Kyber, which pressured the price of SNX. The attacker then exchanged the USDC for Synthetix’s USD token (sUSD) before exploiting a vulnerability in xToken’s contracts to buy 614,000 SNX at an artificially depressed price of 811,000 sUSD.
Not the first time xToken has been exploited
The incident is the second time xToken has been exploited this year. In May, the protocol suffered from a similar exploit as a malicious actor manipulated Kyber DEX, taking advantage of xToken’s price calculation. The breach cost the protocol around $25 million in SNX tokens at the time.
The xToken team said it will work in the coming weeks to calculate investor losses and structure a compensation program based on the use of its native token.