Decentralized finance (DeFi) protocol xToken suffered another exploit following a vulnerability in the xSNX contract, which resulted in the loss of $4.5 million. Cream Finance protocol also lost over $26 million from a flash loan attack.
Attackers Drain $4.5 Million from xToken
The team behind the xToken project announced the news of the xSNX exploit via Twitter on August 29. A post mortem was later published detailing the attack and subsequent decision carried out by the team.
According to the report, the attack was carried out using a flash loan. The hacker attacker took a flash loan for 25,000 ETH ($79.6 million). The ETH was then used to borrow 1 million SNX via the lending and borrowing protocol Aave, and swap close to 7,000 ETH for 519,000 SNX on liquidity protocol Bancor, leaving the attacker with 1.5 million SNX tokens.
The SNX was later swapped for 6.5 million USDC, causing a significant drop in the SNX price. Furthermore, the USDC was swapped for 6.5 million of sUSD, Synthetix’s USD token, on Curve. With the attacker able to exploit a vulnerability in the xSNX contract, the rouge actor bought 614,000 SNX at an artificially depressed price for 811,000 sUSD, which was swapped for 811,000 USDC.
This recent attack marks the second time xToken is suffering an exploit. Back in May, the xToken team revealed that a malicious hacker exploited a bug in the xSNXa and xBNTa contracts, and drained nearly $25 million from the protocol.
Meanwhile, xToken in its latest post mortem stated that it will discontinue offering the xSNX product, while also working on a compensation plan. According to the report:
“At this time, we believe it best to sunset our xSNX product offering. The current xSNX implementation is by far our most complicated product, with complex dependencies and significant surface area for vulnerabilities.”
Cream Finance hit with Flash Loan Attack, Loses Over $26 Million
Another DeFi protocol that was struck twice was Cream Finance. Blockchain security company PeckShield, first reported a flash loan attack on the project on Monday (August 30, 2021), with the attacker stealing $18.8 million from the platform.
Cream Finance confirmed the report, adding that it lost 418,311,571 AMP and 1,308.09 ETH tokens, with both worth $26.8 million dollars. In response to the attack, the team behind the project said:
“We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.”
The first attack on protocol happened back in February DeFi product Alpha Homora reported an exploit using Cream’s iron bank service, that resulted in the loss of over $37 million.
In March, Cream revealed that they were hit with a DNS attack and warned their users not to enter their seed phrase on their websites.
Source: Read Full Article