Nexera burns 32.5m compromised tokens after $440k loss

Decentralized finance protocol Nexera has burned stolen NXRA tokens in an effort to reduce damage to the stability of its ecosystem.

According to data from blockchain security firm PeckSheildAlert, it has been revealed that the Defi protocol has permanently removed 32.5 million NXRA tokens from circulation.

The move follows an Aug. 7 exploit first flagged by forensics firm Cyvers, which detected a suspicious transaction from Nexera’s proxy contract. Initial findings suggested that the attacker upgraded the contract with new permissions and used the withdrawal manager function to drain $1.5 million worth of NXRA tokens.

The hacker was later found to have exchanged the stolen funds for ETH to launder them through cryptocurrency mixers like Tornado Cash, a common tactic used in such cases. However, in a second announcement after the exploit, the Nexera team said it had managed to freeze 32.5 million NXRA tokens.

According to the post-incident report, the attacker only managed to steal $440,000 worth of NXRA tokens.

It was also determined that the protocol’s smart contracts were not compromised, and therefore the project will retain its current token address. The project promised to announce a full report on the incident “in the coming days.”

“This exploit was part of a larger, coordinated attack targeting multiple projects and protocols,” the statement said.

As of now, the Nexera team has stated that KuCoin and MEXC have stopped trading and withdrawing tokens, urging community members to stay away from trading. The hacker reportedly interacted with exploit-related addresses on KuCoin and MEXC.

The latest incident was the second time a defi protocol has fallen victim to an exploit. The project, then known as AllianceBlock, lost 110 million of its old ALBT tokens after a hacker exploited Bonq, a decentralized lending protocol.

The day before the incident, a white hat hacker exploited Axie Infinity’s Ronin Bridge for 4,000 ETH, worth around $10 million. The hacker used a Maximum Mintable Value bug to drain the funds, but returned them a day later.