Sep 11, 2024
Update regarding the Loan Protocol
On September 8th at 12:17am PST the core developer of the LOAN protocol on the XPR Network, Metallicus, became aware of a highly sophisticated re-entrancy exploit being executed on the protocol affecting Metal X DeFi lending market smart contract (lending.loan) by accounts “letsgop” and “letsgopuppy”. Upon becoming aware of this attack the appropriate measures were immediately taken to halt all mint/deposits, redemptions, borrows, repayments and liquidations. Additionally, our operational defensive security measures kicked in and funds were immediately frozen and secured. During the incident the following funds were unwrapped before detection: 2868071.411598 DOGE, 17.00633643 LTC, 189935.044555 XRP, 0.00179913 BTC and 0.0304795331175 ETH
The timeline of events is as follows:
- Sep 05, 2024 09:59:52 PM (PST) Letsgop KYC’ed an account
- Sep 07, 2024 11:39:36 PM (PST) Letsgop created the letsgopuppy account
- Sep 07, 2024 11:48:22 PM (PST) Letsgop funded the ram for letsgopuppy with 4 XLTC
- Sep 08, 2024 12:01:47 AM (PST) letsgopuppy pushed the contract
- Sep 08, 2024 12:15:55 AM (PST) transaction ID: 5051099a contain a series actions and table are not abi generated
- Actions are a stack of mint and redeem loop
- Sep 08, 2024 12:15:55 AM (PST) transaction ID: 5051099a is the last action executed on the letsgopuppy account is to send to another account that was KYC verified Letsgop
- Sep 08, 2024 12:15:55 AM (PST) transaction ID: 5051099a Letsgop attempts to unwrap by interacting with the proton.wrap smart contract
- Sep 08, 2024, 12:51AM (PST) The attack is detected and preventative measures engaged to secure funds
Rest assured, all funds are safe and the limited amount of affected funds will be reimbursed by the core developer of the protocol, Metallicus. Furthermore, the cause of the exploit has been identified and patching work has begun; while putting into place new security measures, controls and early-detection mechanisms to further enhance the protocol and to detect and prevent future attacks. More details will be shared on this page if they become available. Please be patient while the core developer of the protocol, Metallicus, works to restore normal functionality.
If you receive an email speaking about this security incident from any other email address, it is not legitimate. These notices will include details about the timeline of events, and the core developer of the protocol will assist where necessary.
You can contact support via help.xprnetwork.org
Sep 11, 2024
Update regarding the Loan Protocol
On September 8th at 12:17am PST the core developer of the LOAN protocol on the XPR Network, Metallicus, became aware of a highly sophisticated re-entrancy exploit being executed on the protocol affecting Metal X DeFi lending market smart contract (lending.loan) by accounts “letsgop” and “letsgopuppy”. Upon becoming aware of this attack the appropriate measures were immediately taken to halt all mint/deposits, redemptions, borrows, repayments and liquidations. Additionally, our operational defensive security measures kicked in and funds were immediately frozen and secured. During the incident the following funds were unwrapped before detection: 2868071.411598 DOGE, 17.00633643 LTC, 189935.044555 XRP, 0.00179913 BTC and 0.0304795331175 ETH
The timeline of events is as follows:
- Sep 05, 2024 09:59:52 PM (PST) Letsgop KYC’ed an account
- Sep 07, 2024 11:39:36 PM (PST) Letsgop created the letsgopuppy account
- Sep 07, 2024 11:48:22 PM (PST) Letsgop funded the ram for letsgopuppy with 4 XLTC
- Sep 08, 2024 12:01:47 AM (PST) letsgopuppy pushed the contract
- Sep 08, 2024 12:15:55 AM (PST) transaction ID: 5051099a contain a series actions and table are not abi generated
- Actions are a stack of mint and redeem loop
- Sep 08, 2024 12:15:55 AM (PST) transaction ID: 5051099a is the last action executed on the letsgopuppy account is to send to another account that was KYC verified Letsgop
- Sep 08, 2024 12:15:55 AM (PST) transaction ID: 5051099a Letsgop attempts to unwrap by interacting with the proton.wrap smart contract
- Sep 08, 2024, 12:51AM (PST) The attack is detected and preventative measures engaged to secure funds
Rest assured, all funds are safe and the limited amount of affected funds will be reimbursed by the core developer of the protocol, Metallicus. Furthermore, the cause of the exploit has been identified and patching work has begun; while putting into place new security measures, controls and early-detection mechanisms to further enhance the protocol and to detect and prevent future attacks. More details will be shared on this page if they become available. Please be patient while the core developer of the protocol, Metallicus, works to restore normal functionality.
If you receive an email speaking about this security incident from any other email address, it is not legitimate. These notices will include details about the timeline of events, and the core developer of the protocol will assist where necessary.
You can contact support via help.xprnetwork.org
Sep 11, 2024
Update regarding the Loan Protocol
On September 8th at 12:17am PST the core developer of the LOAN protocol on the XPR Network, Metallicus, became aware of a highly sophisticated re-entrancy exploit being executed on the protocol affecting Metal X DeFi lending market smart contract (lending.loan) by accounts “letsgop” and “letsgopuppy”. Upon becoming aware of this attack the appropriate measures were immediately taken to halt all mint/deposits, redemptions, borrows, repayments and liquidations. Additionally, our operational defensive security measures kicked in and funds were immediately frozen and secured. During the incident the following funds were unwrapped before detection: 2868071.411598 DOGE, 17.00633643 LTC, 189935.044555 XRP, 0.00179913 BTC and 0.0304795331175 ETH
The timeline of events is as follows:
- Sep 05, 2024 09:59:52 PM (PST) Letsgop KYC’ed an account
- Sep 07, 2024 11:39:36 PM (PST) Letsgop created the letsgopuppy account
- Sep 07, 2024 11:48:22 PM (PST) Letsgop funded the ram for letsgopuppy with 4 XLTC
- Sep 08, 2024 12:01:47 AM (PST) letsgopuppy pushed the contract
- Sep 08, 2024 12:15:55 AM (PST) transaction ID: 5051099a contain a series actions and table are not abi generated
- Actions are a stack of mint and redeem loop
- Sep 08, 2024 12:15:55 AM (PST) transaction ID: 5051099a is the last action executed on the letsgopuppy account is to send to another account that was KYC verified Letsgop
- Sep 08, 2024 12:15:55 AM (PST) transaction ID: 5051099a Letsgop attempts to unwrap by interacting with the proton.wrap smart contract
- Sep 08, 2024, 12:51AM (PST) The attack is detected and preventative measures engaged to secure funds
Rest assured, all funds are safe and the limited amount of affected funds will be reimbursed by the core developer of the protocol, Metallicus. Furthermore, the cause of the exploit has been identified and patching work has begun; while putting into place new security measures, controls and early-detection mechanisms to further enhance the protocol and to detect and prevent future attacks. More details will be shared on this page if they become available. Please be patient while the core developer of the protocol, Metallicus, works to restore normal functionality.
If you receive an email speaking about this security incident from any other email address, it is not legitimate. These notices will include details about the timeline of events, and the core developer of the protocol will assist where necessary.
You can contact support via help.xprnetwork.org
Read Next
Jan 30, 2024
Gifting Crypto Made Easy
Introducing Metal X Virtual Gift Card Feature
Sep 3, 2023
Up to $2000 In Rebates
Are you ready to boost your crypto journey with exciting rewards?
Sep 8, 2023
XRP Available For Lending
Metal X, an All-In-One decentralized financial hub powered by the XPR Network, has added XRP to its lending and borrowing feature.
Oct 11, 2023
Metal X + CoinGecko
We're excited to announce that Metal X has been added to CoinGecko.
Developers
Trade Crypto
Metal X is a service of Metallicus, Inc., a licensed provider of money transfer services (NMLS ID: 2057807).
All money transmission is provided by Metallicus, Inc. pursuant to Metallicus, Inc.’s licenses. © 2024 Metallicus, Inc.
License issued to Metallicus by the Louisiana Office of Financial Institutions does not cover the exchange or transmission of virtual currency. All money transmission is provided by Metallicus, Inc. pursuant to Metallicus, Inc.'s licenses and/or the applicable law depending on the jurisdiction.
Developers
Trade Crypto
Metal X is a service of Metallicus, Inc., a licensed provider of money transfer services (NMLS ID: 2057807).
All money transmission is provided by Metallicus, Inc. pursuant to Metallicus, Inc.’s licenses. © 2024 Metallicus, Inc.
License issued to Metallicus by the Louisiana Office of Financial Institutions does not cover the exchange or transmission of virtual currency. All money transmission is provided by Metallicus, Inc. pursuant to Metallicus, Inc.'s licenses and/or the applicable law depending on the jurisdiction.
Developers
Trade Crypto
Metal X is a service of Metallicus, Inc., a licensed provider of money transfer services (NMLS ID: 2057807).
All money transmission is provided by Metallicus, Inc. pursuant to Metallicus, Inc.’s licenses. © 2024 Metallicus, Inc.
License issued to Metallicus by the Louisiana Office of Financial Institutions does not cover the exchange or transmission of virtual currency. All money transmission is provided by Metallicus, Inc. pursuant to Metallicus, Inc.'s licenses and/or the applicable law depending on the jurisdiction.