xToken Market: Public callFunction() in xSNXAdmin — same SNX price manipulation, different access control bug
xToken was exploited a second time for $4.5M — same xSNX contract, same SNX price manipulation technique — but via a different bug: a single incorrect `require` statement that made a dYdX-only callback function publicly callable.
Summary #
xToken Market suffered a Index / Passive Yield (wrapped SNX positions) on 2021-08-30, resulting in a loss of approximately $5M.
What happened #
xToken was exploited a second time for $4.5M — same xSNX contract, same SNX price manipulation technique — but via a different bug: a single incorrect `require` statement that made a dYdX-only callback function publicly callable.
Linked factors #
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-008 — illustrative : Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — incorrect require() survived PeckShield review twice]
- RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: Y — SNX price crashed during attack sequence visible on DEXes]