Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 033Flash Loan Attack

xToken Flash-Loan Manipulation

xToken lost $24M when xSNXa and xBNTa priced from manipulable pools; a flash loan let the attacker mint strategy tokens cheaply and redeem the real underlying.

Date
Victim
xToken
Chain(s)
Ethereum
Status
Funds Stolen

On May 12, 2021, xToken lost approximately $24 million when its xSNXa and xBNTa liquidity-strategy tokens were exploited via flash-loan price manipulation. The strategies priced mint/redeem from manipulable pools; the attacker skewed the pools, minted strategy tokens cheaply, and redeemed them for the real underlying assets.

What happened

xToken's xSNXa/xBNTa minting and redemption relied on on-chain prices an attacker could move with flash-loaned capital. The attacker manipulated the relevant Balancer/Kyber/Uniswap pools, acquired strategy tokens at a distorted rate, and redeemed for far more underlying than fairly owed (~$24M). (xToken suffered a second, separate incident in August 2021.)

Why it matters

xToken is one of the larger 2021 flash-loan strategy-token mispricing cases (Harvest, Value DeFi, Cream). Its repeat (May then August 2021) also places it in the multi-incident group. The throughline never changes: a tokenised strategy whose mint/redeem price is read from a manipulable venue is an arbitrage faucet for anyone with a flash loan. By May 2021 this had already been demonstrated repeatedly since February 2020; xToken is the ecosystem, again, not having read its own post-mortems.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-xtoken-hack-may-2021
  2. [02]rekt.newshttps://rekt.news/xtoken-rekt

Related filings