xToken was attacked today.
1. The attacker loaned 25,000 ETH from dydx
2. The attacker used part of the borrowed ETH to mortgage into AAVE V1 and V2 respectively, and loaned a large amount of SNX
3. The attacker used part of the borrowed ETH to exchange SNX from Bancor
4. Swap SNX to sUSD (6,522,480) through KyberNetwork
-> Swap through the Uniswap/SUSHI/Curve, resulting in large slippage in these exchange pools
5. The attacker transferred 2,037,253 sUSD into the xSNX contract in preparation for bypassing the inspection later
6. Call the callFunction function of the xSNX contract
-> Through the comments, we can know that this function is used to flash loan and then call this function to return the debt.
-> This function will first convert the loaned USDC into sUSD, the amount is the loanAmount (1) passed in by the attacker.
-> Burn sUSD liabilities
-> Convert the SNX in the contract to sUSD, the swap amount is the snxAmount passed in by the attacker (about 614,240)
-> Swap through Kyber/Uniswap/SUSHI/Curve, where slippage has been generated in the fourth step above
-> The 614,240 SNX should theoretically be exchanged for 6,756,640 sUSD
-> But the slippage was not checked, only 808,433 sUSD was swapped
-> After that, sUSD is converted into 811,078 USDC to return the debt
-> The loanAmount passed in before is 1
-> So the final check usdcBalance> loanAmount + 2 is 811,078> 1 + 2 is established and bypassed the check.
7. Then the attacker only needs to convert the remaining large amount of sUSD (4,485,227, which is the remaining amount of step 4 and step 5) into SNX through Kyber against Step 4, and attacker can get the SNX tokens left over due to the slippage in the xSNX contract.
8. After that, the flash loan will be returned through regular swap into corresponding tokens.
