Nexera burns 32.5m compromised tokens after $440k loss

Decentralized finance protocol Nexera has burned stolen NXRA tokens in a bid to mitigate damage to its ecosystem’s stability.

Data from blockchain security firm PeckSheildAlert reveal that the defi protocol has permanently removed 32.5 million NXRA tokens from circulation.

The move follows an Aug. 7 exploit, first flagged by forensic firm Cyvers, which noted a suspicious transaction from Nexera’s proxy contract. Initial findings suggested that the attacker upgraded the contract with new permissions and used the withdraw admin function to drain $1.5 million worth of NXRA tokens.

Subsequently, the hacker was seen swapping the stolen funds for ETH in a bid to launder it via cryptocurrency mixers like Tornado Cash, a common tactic employed in such cases. However, in a second announcement following the exploit, the Nexera team said it had managed to freeze 32.5 million NXRA tokens.

Per the post-incident report, the attacker managed to get away with only $440,000 worth of NXRA tokens. 

Further, it was determined that the protocol’s smart contracts were not compromised, and as such, the project would retain its current token address. The project has vowed to announce a complete report of the incident “in the coming days.”

“The exploit was part of a wider coordinated attack targeting multiple projects and protocols,” the announcement added.

As of now, the Nexera team has urged its community members to refrain from trading, noting that KuCoin and MEXC have halted trading and withdrawals of the token. The hacker had reportedly engaged with exploit-related addresses on KuCoin and MEXC.

The recent incident was the second time the defi protocol had fallen victim to an exploit. Known as AllianceBlock at the time, the project lost 110 million of its legacy ALBT tokens after a hacker exploited Bonq, a decentralized borrowing protocol.

A day before the incident, a white hat hacker exploited Axie Infinity’s Ronin Bridge for 4,000 ETH, worth almost $10 million. The hacker exploited a Maximum Extractable Value bug to drain the funds but returned them a day later.