xToken
HackedDeFi · born 2020 · ✝ 2021
A manipulated price oracle drained ~$24M.
xToken offered tokenized, auto-managed staking and liquidity strategies on Ethereum. In May 2021 an attacker used flash loans to manipulate the price oracle behind its xSNX and xBNT products, draining roughly $24M.
- Peak
- ~$24M stolen
- Cause
- Hacked
- Year of death
- 2021
☠️ Cause of death
The contracts priced assets off a manipulable spot source, letting a flash-loan-skewed price let the attacker mint and redeem at distorted rates.
📓 Lessons left behind
- —Never price strategy assets off manipulable spot pools.
- —Use time-weighted or multi-source oracles.
- —Flash loans make single-block price manipulation cheap.
🌱 The idea that survived
Manipulation-resistant oracles
Drove adoption of TWAP and multi-source pricing in structured DeFi products.
#defi#flash-loan#oracle