Initial Report on xBNTa, xSNXa Exploit

Published in

xToken

4 min readMay 12, 2021

An attacker exploited the xBNTa and xSNXa contracts at 9:44 am EST today (May 12). The contracts were exploited simultaneously within a single transaction and the xBNTa Bancor pool as well as the xSNXa Balancer pool were immediately drained. We noticed price and supply discrepancies on our frontend about ten minutes later and several community members alerted us around this time as well. Minting on all xToken contracts was paused by 10:14 am.

We are deeply, deeply sorry for the loss of funds and are exploring the best path forward. Total value lost on the Bancor and Balancer liquidity pools was about ~$25m across several assets. Total value lost directly on the xSNXa contract was 416 ETH. No value was lost directly on the xBNT contract.

While the attacker minted large amounts of xBNT and xSNX supply in order to drain the liquidity pools, all of the BNT and SNX remains in the xToken contracts. That said, 416 ETH was extracted from the xSNX contract (the xSNX contract holds ETH as part of a debt-hedging strategy).

xBNTa Exploit

Our xBNT contract allows investors to mint xBNT with ETH. The contract exchanges the ETH for BNT on Bancor and uses the BNT acquired to calculate the correct amount of xBNT to mint. We pass a trade “path” via a parameter in the mint function that instructs the contract to exchange the ETH for BNT. Unfortunately, we did not validate that the trade path concluded with BNT, and the exploiter exchanged for a token called SPD to spoof the transaction’s BNT contribution to the contract’s holdings, allowing an infinite mint. The attacker subsequently sold all xBNTa on the Bancor xBNTa/BNT pool.

xBNTa Remediation

Fortunately, no value was extracted directly from the xBNT contract. This doesn’t forgive the enormous loss suffered by LPs, however, it should allow us to restore full value to holders of xBNTa pre-exploit. We are snapshotting 1) xBNTa holders who were simply holding in their wallets and 2) xBNTa holders who had contributed to the xBNTa/BNT liquidity pool on Bancor. We will follow up with more information on how to claim your new xBNT in the coming days. We ask that you be patient with us as this is a delicate process and we’re intent on getting it right.

xSNXa Exploit

xSNX is our most complicated contract, as it holds SNX, ETH, ETHRSI6040 and sUSD debt. We need to value the assets in common terms in order to calculate net asset value. As such, the assets in the contract are valued in terms of ETH.

We allow investors to mint xSNX with ETH. In some cases, the ETH is exchanged for SNX and in some cases the ETH is maintained as part of the hedging portfolio. In cases like this one, where the ETH is converted to SNX, we calculate the ETH/SNX ratio (for valuation purposes) by comparing the user’s ETH contribution to the amount of SNX acquired (xSNX contract routes trades through Kyber’s aggregator).

We did not use an on-chain oracle in the xSNX contract. However, our approach was clearly vulnerable to manipulation and we take full responsibility for the exploit. The attacker used flash loans to manipulate the price of SNX before using ETH to mint xSNXa at a significantly reduced SNX price. This allowed the attacker to mint a disproportionate amount of xSNXa, which was immediately sold for SNX and ETH on the Balancer pool.

xSNXa Remediation

Roughly 416 ETH was extracted from xSNXa, representing 7–8% of the net asset value of the contract. The other 90+% of value remains in the xSNX contract and will be retrievable to holders. We are exploring ways to restore the ETH value to the contract, but given the size of the loss, we may need to distribute the value over time.

We will be snapshotting xSNXa balances (both vanilla holders and LPs) and providing a new token to allow holders to reclaim their value. Again, this is a delicate process and xSNX is a complicated contract, so please allow us the time to do this carefully.

Final Thoughts

Minting on all contracts will remain disabled until we can confirm that similar exploits are not possible on our other funds
We will follow up in the coming days on more detailed plans for holders to recover their tokens
We are humbled by the support we’ve received from the xToken community and DeFi at large
We had already introduced a security feature to an upcoming product that would have prevented this attack. We are despondent that we hadn’t yet had the opportunity to introduce it across the product suite
We assume the hacker covered their tracks, but if by some chance they didn’t (like by leaking data via usage of FlashBots API), please reach out with any information
DeFi can be brutal and we imagine it’ll take us some time to regain the trust of our stakeholders. However, we fully intend to put in the work and we hope we can regain your trust over time