xToken, a project which automates staking and liquidity strategies and wraps them into ERC-20 tokens, has been hacked to the tune of ~$25M.
The attack resulted in xToken’s TVL dropping by roughly 30% to $63M, according to DeFi Llama.
The xSNXa and xBNTa token contracts, for which xToken automates the staking strategies as well as governance decisions for the latter, were exploited in a single transaction.
According to research analyst Igor Igamberdiev, the attacker pulled off the exploit by borrowing 61.8K ETH with a dYdX flashloan, then borrowing and swapping for 1.2M SNX tokens and selling them on Uniswap.
The attacker then minted 1.2B xSNXa with only .12 ETH due to the crashed SNX price. Within xToken’s protocol however, xSNXa price was still high, allowing 105M xSNXa to be sold for 414 ETH. The hacker then reversed the swaps, repaid the loans, and repaid the flashloan to dYdX.
As for the xBNTa hack and according to Igamberdiev, the xToken contract didn’t verify whether BNT tokens were used in xBNTa mint, allowing the hacker to make the contract think SPD tokens, which are worth $.00014 at the time writing, were BNT tokens, worth $7.47. This allowed the hacker to then swap the xBNTa into actual BNT tokens and withdraw them.
xToken’s founder Michael Cohen published an initial report on the hack saying the project will “follow up in the coming days on more detailed plans for holders to recover their tokens.”
For now, token holders must wait, with some wondering why xToken didn’t use a Chainlink oracle to price SNX, as had the token been priced correctly, the attack would not have occurred.