Crypto regulations in India, South Korea and the US dominate headlines
DeFi security concerns rekindled following Ethereum and BSC exploits
OKEx Insights digs into xToken and bEarn Fi — two recently exploited DeFi protocols on Ethereum and Binance Smart Chain.
The decentralized finance ecosystem dipped slightly this week as the total value locked in DeFi protocols reached $79.88 billion, as of the time of this writing. Maker led the DeFi market with a 17% share of the sector’s total value locked, as the total borrowing volume of DeFi protocols dropped 15% to $22.15 billion. The lending market is currently being led by Compound, which has a 36% market share.
The popularity of meme coins led to the tremendous growth of decentralized exchanges this week. Average weekly trading volumes rose 35% to $8.29 billion. Additionally, total DEX trading volume reached $84 billion in May — already surpassing April’s total of $80 billion. At the same time, SushiSwap remained the largest liquidity pool with a TVL of $2.11 billion.
|Category||Key statistics||Amount||Weekly % change|
|Overall||Total value locked (USD)||$79.88 billion||-1%|
|Market dominance (%)||Maker (17%)|
|Lending||Total borrowing volume||$22.15 billion||-15%|
|Market dominance (%)||Compound (36%)|
|DEXs||Weekly avg. trading vol.||$8.29 billion||35%|
|Market dominance (%)||Uniswap (26%)|
|Yield farming||Largest liquidity pool||SushiSwap ($2.11 billion)|
xToken and bEarn Fi suffer flash loan attacks
DeFi security has once again come to the forefront after two protocols were hacked this week. xToken suffered from a flash loan attack and lost $25 million worth of assets, while Binance Smart Chain’s bEarn Fi lost $11 million from similar flash loan attacks.
Two crucial mistakes lead to xToken exploits
Built on Ethereum, xToken offers staking strategies for ERC-20 tokens — allowing users to earn passive income. With the advent of Bancor’s V2.1 protocol upgrade, xToken introduced xBNT staking.
The xToken team first discovered an exploit on the protocol’s xBNTa and xSNXa contracts on May 12 — which accounted for a loss of approximately $25 million across several assets. (Each asset in xToken’s liquidity pool is denoted by an “a” or “b,” and the letters represent different investment mandates.)
In the case of the xBNTa contracts, the xToken team did not validate the trade path that uses ETH to mint BNT. This lack of validation allowed hackers to mint infinite amounts of xBNTa, which they subsequently sold through the Bancor xBNTa/BNT pool.
The xToken team noted that no value was exploited directly from the xBNT contract. As a result, it tried to take snapshots of xBNTa, pre-exploit, to restore the full value for xBNTa holders. The team said it will notify users of the process for claiming xBNT soon.
In regard to the xSNXa exploit, the xToken team did not use an on-chain oracle to track the price of SNX, leaving the xSNXa/SNX pool vulnerable to price manipulation. Hackers took advantage by using flash loans to manipulate the SNX price. They then used ETH to mint xSNXa at a significantly discounted SNX price. The hackers then sold the minted xSNXa for SNX and ETH immediately on the Balancer pool. The xToken team noted that roughly 416 ETH was withdrawn from the xSNXa pool, representing 7%–8% of xSNXa’s net asset value.
To prevent further exploits, the xToken team has disabled the minting of all contracts in the liquidity pool. Michael Cohen, the founder of xToken, proposed allocating 2% of the protocol’s native XTK tokens to the victims over a one-year vesting period — which has caused some debate in the community.
Withdrawal bugs result in bEarn Fi hack
bEarn Fi is a cross-chain automatic yield-farming protocol built on Binance Smart Chain. Its team saw a significant increase in BUSD deposits and discovered an exploit on its BUSD Alpaca vault.
According to the bEarn Fi’s post mortem, the attacker first took out a $7.8 million flash loan on Cream Finance. They then made repeated deposits and withdrawals on bVaults 30 times. The attacker repaid the flash loan and is expected to drain $10.86 million worth of assets.
The bEarn Fi team identified the hack as a result of bugs found in the withdrawal function. The bug increased the locked BUSD amount while there was no new deposit. This led to the inflated BUSD deposits, as observed by the bEarn Fi team.
To prevent further exploits, the bEarn Fi team contacted Binance to block the hacker’s fund transfer. Meanwhile, deposits and withdrawals for all bVaults are temporarily suspended. The bEarn Fi team will create a compensation fund and affected users are expected to receive an extra 5% of their deposited amounts.
OKEx Insights presents market analyses, in-depth features, original research & curated news from crypto professionals.