On September 8th at 12:17am PST the core developer of the LOAN protocol on the XPR Network, Metallicus, became aware of a highly sophisticated re-entrancy exploit being executed on the protocol affecting Metal X DeFi lending market smart contract (lending.loan) by accounts “letsgop” and “letsgopuppy”. Upon becoming aware of this attack the appropriate measures were immediately taken to halt all mint/deposits, redemptions, borrows, repayments and liquidations. Additionally, our operational defensive security measures kicked in and funds were immediately frozen and secured. During the incident the following funds were unwrapped before detection: 2868071.411598 DOGE, 17.00633643 LTC, 189935.044555 XRP, 0.00179913 BTC and 0.0304795331175 ETH

The timeline of events is as follows:

- Sep 05, 2024 09:59:52 PM (PST) Letsgop KYC’ed an account

- Sep 07, 2024 11:39:36 PM (PST) Letsgop created the letsgopuppy account

- Sep 07, 2024 11:48:22 PM (PST) Letsgop funded the ram for letsgopuppy with 4 XLTC

- Sep 08, 2024 12:01:47 AM (PST) letsgopuppy pushed the contract

- Sep 08, 2024 12:15:55 AM (PST) transaction ID: 5051099a contain a series actions and table are not abi generated 

- Actions are a stack of mint and redeem loop

- Sep 08, 2024 12:15:55 AM (PST) transaction ID: 5051099a is the last action executed on the letsgopuppy account is to send to another account that was KYC verified Letsgop

- Sep 08, 2024 12:15:55 AM (PST)  transaction ID: 5051099a  Letsgop attempts to unwrap by interacting with the proton.wrap smart contract

- Sep 08, 2024, 12:51AM (PST) The attack is detected and preventative measures engaged to secure funds

Rest assured, all funds are safe and the limited amount of affected funds will be reimbursed by the core developer of the protocol, Metallicus. Furthermore, the cause of the exploit has been identified and patching work has begun; while putting into place new security measures, controls and early-detection mechanisms to further enhance the protocol and to detect and prevent future attacks. More details will be shared on this page if they become available. Please be patient while the core developer of the protocol, Metallicus, works to restore normal functionality. 

If you receive an email speaking about this security incident from any other email address, it is not legitimate. These notices will include details about the timeline of events, and the core developer of the protocol will assist where necessary.

You can contact support via help.xprnetwork.org