Onyx protocol lost more than $2 million due to hacker attack

[Carding 4 Carders]

The Onyx Protocol DeFi landing platform lost approximately $2.1 million as a result of an illiquid market exploit deployed on October 27.

#PeckShieldAlert @OnyxProtocol has been exploited for ~2.1M https://t.co/5Z50tCg6MD
— PeckShieldAlert (@PeckShieldAlert) November 1, 2023

PeckShield experts probably noticed the incident when the protocol team didn't know about it yet.

According to the company's specialists, the attackers took advantage of a well-known rounding problem in the popular fork of Compound v2, which is the basis of the Onyx architecture.

Unknown people used this bug in April to hack into Hundred Finance in the amount of approximately $7 million.

PeckShield experts explain the attack mechanism on Onyx:

"In essence, the exploited oPEPE market was deployed five days ago without any liquidity. The pool was filled with borrowed funds, which were then repaid due to the rounding problem."

The @OnyxProtocol hack leads to ~$2.1M loss by exploiting a known rounding issue behind the popular CompoundV2 fork.

Basically, the exploited oPEPE market was deployed 5 days ago without any liquidity. This empty market was abused with donation to borrow funds from other… https://t.co/ijkXbOyYr2 pic.twitter.com/fbHdZhTz0E
— PeckShield Inc. (@peckshield) November 1, 2023

Attackers used instant loans to attract resources for an attack and manipulate exchange rates, a BlockSec representative said in a comment to The Block.

On-chain data shows that Onyx hackers have already sent 750 ETH (~$1.25 million) to the Tornado Cash mixing service.

 

[Friend]

Hackers used an old exploit to re-hack Onyx for $3.8 million

On September 26, the Onyx DeFi protocol was attacked and lost $3.8 million, the second platform hack in a year in which the same exploit was used.

It seems today's victim @OnyxDAO (w/ >$3.8m loss) falls prey to a known precision issue in forked CompoundV2 code base. The drained funds include 4.1m VUSD, 7.35m XCN, 5k DAI, 0.23 WBTC, 50k USDT.

The bug is exploited to leverage a nearly empty market to manipulate the exchange… https://t.co/Apddu5aMbD pic.twitter.com/EKKRarFu5X
— PeckShield Inc. (@peckshield) September 26, 2024

https://twitter.com/x/status/1839302663680438342

According to Peck Shield, hackers exploited a known bug in the Compound Finance v2 code and exploited a vulnerability in the NFT liquidation contract.

On November 1, 2023, unknown persons withdrew approximately $2.1 million from Onyx thanks to a similar attack method.

Analysts claim that the Compound Finance v2 bug can only be exploited in an "empty market" or when there is no liquidity.

The faulty NFT contract allowed the attacker to "inflate the amount of the self-destruct reward" because it "did not properly verify the user's input."

The Onyx team confirmed the incident and stated that the main reason for the exploit is the contract for non-fungible tokens.

Onyx Protocol Money Markets Post Mortem.

Onyx Protocol was subject to a security incident where a nefarious actor exploited the protocol to drain VUSD from the protocol.

This exploit can be identified and understood from a vulnerability in the NFT Liquidation contract.
— Onyx (@OnyxDAO) September 26, 2024

https://twitter.com/x/status/1839444120060023167

The DAO will initiate a vote to restart the protocol and rethink its governance component. The developers proposed to release an open-source financial network Onyx Core, on the basis of which the hacked Onyx Protocol will operate.

"This proposal will close the Ethereum-based lending market and reimburse all affected users for the full amount of funds at a 1:1 ratio of the assets they provided", the statement said.