A bug in the DeFi xToken protocol was explored on Wednesday (12), resulting in the loss of around R $ 130 million in tokens. The entity behind the attack used flash loans to steal a series of tokens and has already sold the majority of tokens by ethers (ETH). xToken has eight tokens, such as xSNXa and xBNTa, that offer exposure to the returns of DeFi projects. They come in the form of Ethereum-based tokens that are tied to certain tokens in the decentralized finance segment, such as SNX and BNT. They offer some of the same benefits as the underlying token, such as staking rewards, but without having to leave the Ethereum ecosystem. Flash loans are blockchain-based loans, whereby an amount of cryptocurrency is borrowed and repaid in the same transaction. They can be used to gain access to large amounts of capital at a cheap rate because the cryptocurrency is repaid instantly (and if the transaction is not completed, the money was never borrowed in the first place).
Want to earn Bitcoins?
We help you with that.
Open a free account!
But how did the attack happen?
The attacker exploited two vulnerabilities, both targeting tokens in the xToken ecosystem. First, the responsible entity used a flash loan to borrow 61,800 ETH (R $ 1.4 billion). They used it to manipulate the oracle of the Kyber Network – which connects their blockchain to real-world data – to coin many xSNXa tokens, which were then sold by ether and Synthetix (SNX). Second, they found a weakness in the xBNTa contract . As a “BNT-backed” token, this token should only be created using BNT tokens. The contract, however, failed to verify this. Thus, they were able to use a different token to coin these xBNTa tokens, and then sold. As Igor Igamberdiev of The Block Research observed: "The user was smart enough (or close enough to this project) to use two different vulnerabilities for two tokens in this project." The attacker fled with 2,400 ETH (R $ 54 million), 781,000 BNT (R $ 32 million), 407,000 SNX (R $ 42 million) and 1.9 billion xBNTa tokens. All tokens have already been sold, except xBNTa, for a total of 5,600 ether (R $ 130 million). The attacker paid 5 ETH (115 thousand reais) in fees to carry out the attack. The fee was high because Ethereum's transaction fees are based on the complexity of the transaction – and this was a very large transaction. XToken acknowledged the hack and promised additional information about the incident, tweeting: “We owe the community an explanation and will provide another update soon.” The event reinforces the risks of bugs when investing in cryptocurrencies.See also: Shiba Inu massacre: traders lose R $ 240 million on the first day of SHIB futures