The rounding problem led to a major money drain.
The DeFi project Onyx Protocol, which provides loan and deposit services, faced a hacker attack, as a result of which about $2.1 million was stolen. The attack occurred on October 27 and was discovered by blockchain security experts from the company PeckShield.
According to analysts at PeckShield, the attackers took advantage of a well-known rounding problem in the popular fork of Compound v2, which is the basis of the Onyx architecture. The same bug was used in April to hack about $7 million worth of Hundred Finance.
PeckShield specialists explained the mechanism of the attack on Onyx: "In fact, the oPEPE market that was exploited was deployed five days ago without any liquidity. The pool was filled with borrowed funds, which were then repaid due to the rounding problem."
The attackers also used instant loans to attract resources for the attack and manipulate exchange rates, a BlockSec representative said in a comment to The Block. On-chain data shows that Onyx hackers have already transferred 750 ETH (~$1.25 million) to the anonymization service Tornado Cash, which was sanctioned by the United States back in August 2022.
The Onyx Protocol team has not yet made any official statements about the incident. Their website states that the project is in beta and is not intended for use on the main Ethereum network.
The DeFi project Onyx Protocol, which provides loan and deposit services, faced a hacker attack, as a result of which about $2.1 million was stolen. The attack occurred on October 27 and was discovered by blockchain security experts from the company PeckShield.
According to analysts at PeckShield, the attackers took advantage of a well-known rounding problem in the popular fork of Compound v2, which is the basis of the Onyx architecture. The same bug was used in April to hack about $7 million worth of Hundred Finance.
PeckShield specialists explained the mechanism of the attack on Onyx: "In fact, the oPEPE market that was exploited was deployed five days ago without any liquidity. The pool was filled with borrowed funds, which were then repaid due to the rounding problem."
The attackers also used instant loans to attract resources for the attack and manipulate exchange rates, a BlockSec representative said in a comment to The Block. On-chain data shows that Onyx hackers have already transferred 750 ETH (~$1.25 million) to the anonymization service Tornado Cash, which was sanctioned by the United States back in August 2022.
The Onyx Protocol team has not yet made any official statements about the incident. Their website states that the project is in beta and is not intended for use on the main Ethereum network.
