Share articles to

Academy Industry Analysis Article
DeFi DEX DeFi Digest OKEx Insights Yield Farming

DeFi security concerns rekindled following Ethereum and BSC exploits

2021.05.19 Matthew Lam

OKEx Insights digs into xToken and bEarn Fi — two recently exploited DeFi protocols on Ethereum and Binance Smart Chain. 

The decentralized finance ecosystem dipped slightly this week as the total value locked in DeFi protocols reached $79.88 billion, as of the time of this writing. Maker led the DeFi market with a 17% share of the sector’s total value locked, as the total borrowing volume of DeFi protocols dropped 15% to $22.15 billion. The lending market is currently being led by Compound, which has a 36% market share.

The popularity of meme coins led to the tremendous growth of decentralized exchanges this week. Average weekly trading volumes rose 35% to $8.29 billion. Additionally, total DEX trading volume reached $84 billion in May — already surpassing April’s total of $80 billion. At the same time, SushiSwap remained the largest liquidity pool with a TVL of $2.11 billion.

CategoryKey statisticsAmountWeekly % change
OverallTotal value locked (USD)$79.88 billion-1%
Market dominance (%)Maker (17%)
LendingTotal borrowing volume$22.15 billion-15%
Market dominance (%)Compound (36%)
DEXsWeekly avg. trading vol.$8.29 billion35%
Market dominance (%)Uniswap (26%)
Yield farmingLargest liquidity poolSushiSwap ($2.11 billion)
Uniswap led DEXs with 26% market share. Source: DeFi Pulse and DeBank

xToken and bEarn Fi suffer flash loan attacks

DeFi security has once again come to the forefront after two protocols were hacked this week. xToken suffered from a flash loan attack and lost $25 million worth of assets, while Binance Smart Chain’s bEarn Fi lost $11 million from similar flash loan attacks.

Two crucial mistakes lead to xToken exploits

Built on Ethereum, xToken offers staking strategies for ERC-20 tokens — allowing users to earn passive income. With the advent of Bancor’s V2.1 protocol upgrade, xToken introduced xBNT staking.

The xToken team first discovered an exploit on the protocol’s xBNTa and xSNXa contracts on May 12 — which accounted for a loss of approximately $25 million across several assets. (Each asset in xToken’s liquidity pool is denoted by an “a” or “b,” and the letters represent different investment mandates.)

In the case of the xBNTa contracts, the xToken team did not validate the trade path that uses ETH to mint BNT. This lack of validation allowed hackers to mint infinite amounts of xBNTa, which they subsequently sold through the Bancor xBNTa/BNT pool. 

The xToken team noted that no value was exploited directly from the xBNT contract. As a result, it tried to take snapshots of xBNTa, pre-exploit, to restore the full value for xBNTa holders. The team said it will notify users of the process for claiming xBNT soon.

In regard to the xSNXa exploit, the xToken team did not use an on-chain oracle to track the price of SNX, leaving the xSNXa/SNX pool vulnerable to price manipulation. Hackers took advantage by using flash loans to manipulate the SNX price. They then used ETH to mint xSNXa at a significantly discounted SNX price. The hackers then sold the minted xSNXa for SNX and ETH immediately on the Balancer pool. The xToken team noted that roughly 416 ETH was withdrawn from the xSNXa pool, representing 7%–8% of xSNXa’s net asset value. 

To prevent further exploits, the xToken team has disabled the minting of all contracts in the liquidity pool. Michael Cohen, the founder of xToken, proposed allocating 2% of the protocol’s native XTK tokens to the victims over a one-year vesting period — which has caused some debate in the community.

Withdrawal bugs result in bEarn Fi hack

bEarn Fi is a cross-chain automatic yield-farming protocol built on Binance Smart Chain. Its team saw a significant increase in BUSD deposits and discovered an exploit on its BUSD Alpaca vault.

According to the bEarn Fi’s post mortem, the attacker first took out a $7.8 million flash loan on Cream Finance. They then made repeated deposits and withdrawals on bVaults 30 times. The attacker repaid the flash loan and is expected to drain $10.86 million worth of assets.

The bEarn Fi team identified the hack as a result of bugs found in the withdrawal function. The bug increased the locked BUSD amount while there was no new deposit. This led to the inflated BUSD deposits, as observed by the bEarn Fi team.

The bEarn Fi team wrongly used the BUSD amount, instead of ibBUSD, in the fair launch contract. This led to the exploit of the BUSD Alpaca vault. Source: bEarn Fi

To prevent further exploits, the bEarn Fi team contacted Binance to block the hacker’s fund transfer. Meanwhile, deposits and withdrawals for all bVaults are temporarily suspended. The bEarn Fi team will create a compensation fund and affected users are expected to receive an extra 5% of their deposited amounts.

OKEx Insights presents market analyses, in-depth features, original research & curated news from crypto professionals. 

Follow OKEx Insights on Twitter and Telegram. 

Disclaimer: This material should not be taken as the basis for making investment decisions, nor be construed as a recommendation to engage in investment transactions. Trading digital assets involve significant risk and can result in the loss of your invested capital. You should ensure that you fully understand the risk involved and take into consideration your level of experience, investment objectives and seek independent financial advice if necessary.



%d bloggers like this: