Loan Protocol Update

Loan Protocol Update

Loan Protocol Update

Sep 11, 2024

Update regarding the Loan Protocol

On September 8th at 12:17am PST the core developer of the LOAN protocol on the XPR Network, Metallicus, became aware of a highly sophisticated re-entrancy exploit being executed on the protocol affecting Metal X DeFi lending market smart contract (lending.loan) by accounts “letsgop” and “letsgopuppy”. Upon becoming aware of this attack the appropriate measures were immediately taken to halt all mint/deposits, redemptions, borrows, repayments and liquidations. Additionally, our operational defensive security measures kicked in and funds were immediately frozen and secured. During the incident the following funds were unwrapped before detection: 2868071.411598 DOGE, 17.00633643 LTC, 189935.044555 XRP, 0.00179913 BTC and 0.0304795331175 ETH

The timeline of events is as follows:

- Sep 05, 2024 09:59:52 PM (PST) Letsgop KYC’ed an account

- Sep 07, 2024 11:39:36 PM (PST) Letsgop created the letsgopuppy account

- Sep 07, 2024 11:48:22 PM (PST) Letsgop funded the ram for letsgopuppy with 4 XLTC

- Sep 08, 2024 12:01:47 AM (PST) letsgopuppy pushed the contract

- Sep 08, 2024 12:15:55 AM (PST) transaction ID: 5051099a contain a series actions and table are not abi generated 

- Actions are a stack of mint and redeem loop

- Sep 08, 2024 12:15:55 AM (PST) transaction ID: 5051099a is the last action executed on the letsgopuppy account is to send to another account that was KYC verified Letsgop

- Sep 08, 2024 12:15:55 AM (PST)  transaction ID: 5051099a  Letsgop attempts to unwrap by interacting with the proton.wrap smart contract

- Sep 08, 2024, 12:51AM (PST) The attack is detected and preventative measures engaged to secure funds

Rest assured, all funds are safe and the limited amount of affected funds will be reimbursed by the core developer of the protocol, Metallicus. Furthermore, the cause of the exploit has been identified and patching work has begun; while putting into place new security measures, controls and early-detection mechanisms to further enhance the protocol and to detect and prevent future attacks. More details will be shared on this page if they become available. Please be patient while the core developer of the protocol, Metallicus, works to restore normal functionality. 

If you receive an email speaking about this security incident from any other email address, it is not legitimate. These notices will include details about the timeline of events, and the core developer of the protocol will assist where necessary.

You can contact support via help.xprnetwork.org

Sep 11, 2024

Update regarding the Loan Protocol

On September 8th at 12:17am PST the core developer of the LOAN protocol on the XPR Network, Metallicus, became aware of a highly sophisticated re-entrancy exploit being executed on the protocol affecting Metal X DeFi lending market smart contract (lending.loan) by accounts “letsgop” and “letsgopuppy”. Upon becoming aware of this attack the appropriate measures were immediately taken to halt all mint/deposits, redemptions, borrows, repayments and liquidations. Additionally, our operational defensive security measures kicked in and funds were immediately frozen and secured. During the incident the following funds were unwrapped before detection: 2868071.411598 DOGE, 17.00633643 LTC, 189935.044555 XRP, 0.00179913 BTC and 0.0304795331175 ETH

The timeline of events is as follows:

- Sep 05, 2024 09:59:52 PM (PST) Letsgop KYC’ed an account

- Sep 07, 2024 11:39:36 PM (PST) Letsgop created the letsgopuppy account

- Sep 07, 2024 11:48:22 PM (PST) Letsgop funded the ram for letsgopuppy with 4 XLTC

- Sep 08, 2024 12:01:47 AM (PST) letsgopuppy pushed the contract

- Sep 08, 2024 12:15:55 AM (PST) transaction ID: 5051099a contain a series actions and table are not abi generated 

- Actions are a stack of mint and redeem loop

- Sep 08, 2024 12:15:55 AM (PST) transaction ID: 5051099a is the last action executed on the letsgopuppy account is to send to another account that was KYC verified Letsgop

- Sep 08, 2024 12:15:55 AM (PST)  transaction ID: 5051099a  Letsgop attempts to unwrap by interacting with the proton.wrap smart contract

- Sep 08, 2024, 12:51AM (PST) The attack is detected and preventative measures engaged to secure funds

Rest assured, all funds are safe and the limited amount of affected funds will be reimbursed by the core developer of the protocol, Metallicus. Furthermore, the cause of the exploit has been identified and patching work has begun; while putting into place new security measures, controls and early-detection mechanisms to further enhance the protocol and to detect and prevent future attacks. More details will be shared on this page if they become available. Please be patient while the core developer of the protocol, Metallicus, works to restore normal functionality. 

If you receive an email speaking about this security incident from any other email address, it is not legitimate. These notices will include details about the timeline of events, and the core developer of the protocol will assist where necessary.

You can contact support via help.xprnetwork.org

Sep 11, 2024

Update regarding the Loan Protocol

On September 8th at 12:17am PST the core developer of the LOAN protocol on the XPR Network, Metallicus, became aware of a highly sophisticated re-entrancy exploit being executed on the protocol affecting Metal X DeFi lending market smart contract (lending.loan) by accounts “letsgop” and “letsgopuppy”. Upon becoming aware of this attack the appropriate measures were immediately taken to halt all mint/deposits, redemptions, borrows, repayments and liquidations. Additionally, our operational defensive security measures kicked in and funds were immediately frozen and secured. During the incident the following funds were unwrapped before detection: 2868071.411598 DOGE, 17.00633643 LTC, 189935.044555 XRP, 0.00179913 BTC and 0.0304795331175 ETH

The timeline of events is as follows:

- Sep 05, 2024 09:59:52 PM (PST) Letsgop KYC’ed an account

- Sep 07, 2024 11:39:36 PM (PST) Letsgop created the letsgopuppy account

- Sep 07, 2024 11:48:22 PM (PST) Letsgop funded the ram for letsgopuppy with 4 XLTC

- Sep 08, 2024 12:01:47 AM (PST) letsgopuppy pushed the contract

- Sep 08, 2024 12:15:55 AM (PST) transaction ID: 5051099a contain a series actions and table are not abi generated 

- Actions are a stack of mint and redeem loop

- Sep 08, 2024 12:15:55 AM (PST) transaction ID: 5051099a is the last action executed on the letsgopuppy account is to send to another account that was KYC verified Letsgop

- Sep 08, 2024 12:15:55 AM (PST)  transaction ID: 5051099a  Letsgop attempts to unwrap by interacting with the proton.wrap smart contract

- Sep 08, 2024, 12:51AM (PST) The attack is detected and preventative measures engaged to secure funds

Rest assured, all funds are safe and the limited amount of affected funds will be reimbursed by the core developer of the protocol, Metallicus. Furthermore, the cause of the exploit has been identified and patching work has begun; while putting into place new security measures, controls and early-detection mechanisms to further enhance the protocol and to detect and prevent future attacks. More details will be shared on this page if they become available. Please be patient while the core developer of the protocol, Metallicus, works to restore normal functionality. 

If you receive an email speaking about this security incident from any other email address, it is not legitimate. These notices will include details about the timeline of events, and the core developer of the protocol will assist where necessary.

You can contact support via help.xprnetwork.org

Read Next

Jan 30, 2024

Gifting Crypto Made Easy

Introducing Metal X Virtual Gift Card Feature

Sep 3, 2023

Up to $2000 In Rebates

Are you ready to boost your crypto journey with exciting rewards?

Sep 8, 2023

XRP Available For Lending

Metal X, an All-In-One decentralized financial hub powered by the XPR Network, has added XRP to its lending and borrowing feature.

Oct 11, 2023

Metal X + CoinGecko

We're excited to announce that Metal X has been added to CoinGecko.

Metal X is a service of Metallicus, Inc., a licensed provider of money transfer services (NMLS ID: 2057807).
All money transmission is provided by Metallicus, Inc. pursuant to Metallicus, Inc.’s licenses. © 2024 Metallicus, Inc.

License issued to Metallicus by the Louisiana Office of Financial Institutions does not cover the exchange or transmission of virtual currency. All money transmission is provided by Metallicus, Inc. pursuant to Metallicus, Inc.'s licenses and/or the applicable law depending on the jurisdiction.

Metal X is a service of Metallicus, Inc., a licensed provider of money transfer services (NMLS ID: 2057807).
All money transmission is provided by Metallicus, Inc. pursuant to Metallicus, Inc.’s licenses. © 2024 Metallicus, Inc.

License issued to Metallicus by the Louisiana Office of Financial Institutions does not cover the exchange or transmission of virtual currency. All money transmission is provided by Metallicus, Inc. pursuant to Metallicus, Inc.'s licenses and/or the applicable law depending on the jurisdiction.

Metal X is a service of Metallicus, Inc., a licensed provider of money transfer services (NMLS ID: 2057807).
All money transmission is provided by Metallicus, Inc. pursuant to Metallicus, Inc.’s licenses. © 2024 Metallicus, Inc.

License issued to Metallicus by the Louisiana Office of Financial Institutions does not cover the exchange or transmission of virtual currency. All money transmission is provided by Metallicus, Inc. pursuant to Metallicus, Inc.'s licenses and/or the applicable law depending on the jurisdiction.