xToken, a beleaguered DeFi project, hacked for the second time since May

Hackers discovered a vulnerability in the smart contracts for xToken’s xSNX product over the weekend. Exposing the decentralized finance project to yet another attack.

The xToken team announced on Aug. 29 that the attack had drained roughly $4.5 million from the company’s xSNX product. This allows users to gain exposure to Synthetix-based assets without having to interact with the protocol’s complex smart contracts.

A few hours later, the project released a post mortem, explaining that the malicious actor used a flash loan from the dYdX decentralized exchange (DEX) to carry out the attack, which cost 25,000 ETH (roughly $81 million).

They then used the Ether as collateral to borrow 1.5 million Synthetix governance tokens (SNX) through Aave. A popular decentralized money market protocol, and Bancor, a pooled liquidity token exchange.

These exchanged for 6.5 million USDC on Kyber, a decentralized exchange, putting downward pressure on the SNX price. The attacker then exchanged the USDC for Synthetix’s USD token (sUSD), then used a flaw in xToken’s contracts to buy 614,000 SNX for 811,000 sUSD at an artificially low price.

The hacker made off with $7 million in SNX at today’s prices.

xToken has announced that the xSNX product retired in response to the latest attack, stating:

“The current xSNX implementation is by far our most complicated product, with complex dependencies and significant surface area for vulnerabilities.”

Users can hold interest-bearing derivatives of crypto assets like AAVE. And SNX requires holders to engage in staking, governance, or other protocol interaction in order to receive yield.

This is not the first time xToken fraudulently use this year. A malicious actor manipulated the Kyber DEX. While also taking advantage of xToken price calculations in May, and the protocol suffered a similar fate. At the time, the breach cost the protocol around $25 million in SNX tokens.

Moreover, the xToken team has stated that it will work for the next week to calculate investor losses. And structure a compensation program based on the use of its native token, XTK.

According to CoinGecko, XTK has dropped 45 percent in the last 24 hours. And is down more than 90 percent from its all-time high in April, which preceded the first exploit.