Decentralized finance (DeFi) protocol xToken suffered one other exploit following a vulnerability within the xSNX contract, which resulted within the inability of $4.5 million. Cream Finance protocol moreover lost over $26 million from a flash loan attack.
Attackers Drain $4.5 Million from xToken
The personnel within the encourage of the xToken mission presented the suggestions of the xSNX exploit by the utilization of Twitter on August 29. A submit mortem used to be later printed detailing the attack and subsequent decision applied by the personnel.
In response to the file, the attack used to be applied the use of a flash loan. The hacker attacker took a flash loan for 25,000 ETH ($79.6 million). The ETH used to be then aged to borrow 1 million SNX by the utilization of the lending and borrowing protocol Aave, and swap terminate to 7,000 ETH for 519,000 SNX on liquidity protocol Bancor, leaving the attacker with 1.5 million SNX tokens.
The SNX used to be later swapped for six.5 million USDC, causing a essential plunge within the SNX be conscious. Furthermore, the USDC used to be swapped for six.5 million of sUSD, Synthetix’s USD token, on Curve. With the attacker in a location to reap the benefits of a vulnerability within the xSNX contract, the rouge actor provided 614,000 SNX at an artificially miserable be conscious for 811,000 sUSD, which used to be swapped for 811,000 USDC.
This recent attack marks the second time xToken is suffering an exploit. Assist in May well, the xToken personnel printed that a malicious hacker exploited a bug within the xSNXa and xBNTa contracts, and drained practically $25 million from the protocol.
Meanwhile, xToken in its most up-to-date submit mortem acknowledged that it could quit offering the xSNX product, whereas moreover working on a compensation notion. In response to the file:
“At present, we predict about it most productive to sundown our xSNX product offering. The latest xSNX implementation is by far our most refined product, with advanced dependencies and principal surface condo for vulnerabilities.”
Cream Finance hit with Flash Loan Assault, Loses Over $26 Million
But any other DeFi protocol that used to be struck twice used to be Cream Finance. Blockchain safety firm PeckShield, first reported a flash loan attack on the mission on Monday (August 30, 2021), with the attacker stealing $18.8 million from the platform.
Cream Finance confirmed the file, adding that it lost 418,311,571 AMP and 1,308.09 ETH tokens, with both value $26.8 million dollars. In response to the attack, the personnel within the encourage of the mission said:
“Now we own stopped the exploit by pausing provide and borrow on AMP. No other markets had been affected.”
C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a shortage of 418,311,571 in AMP and 1,308.09 in ETH, by the utilization of reentrancy on the AMP token contract.
Now we own stopped the exploit by pausing provide and borrow on AMP. No other markets had been affected.
— Cream Finance 🍦 (@CreamdotFinance) August 30, 2021
The essential attack on protocol took location encourage in February DeFi product Alpha Homora reported an exploit the use of Cream’s iron monetary institution service, that resulted within the inability of over $37 million.
In March, Cream printed that they had been hit with a DNS attack and warned their users no longer to enter their seed phrase on their web sites.