DeFi Disaster: Onyx Protocol Loses $3.8 Million in Second Hack Exploiting Known Vulnerability

DeFi Disaster: Onyx Protocol Loses $3.8 Million in Second Hack Exploiting Known Vulnerability

By
Michel Michael
4 min read

Onyx Protocol Suffers $3.8 Million DeFi Hack Exploiting Known Code Vulnerability

On Thursday, Onyx Protocol, a decentralized finance (DeFi) platform and a fork of Compound Finance, was hacked, resulting in a loss of $3.8 million. The attackers exploited a known precision issue in the protocol's codebase, specifically inherited from the Compound V2 code. By manipulating nearly empty markets, they were able to artificially inflate exchange rates and siphon off millions in various cryptocurrencies.

Security firms PeckShield and Cyvers detected and reported the suspicious transactions. Initially estimating the loss at $3.2 million, they later updated it to $3.8 million. The stolen assets include:

  • 4.1 million VUSD
  • 7.35 million XCN
  • 5,000 DAI
  • 0.23 WBTC
  • 50,000 USDT

This attack mirrors a previous exploit on the same protocol in October 2023, where $2.1 million was lost due to a similar vulnerability involving rounding errors in the code.

Who Is Involved?

  • Onyx Protocol: A DeFi platform that allows users to lend and borrow cryptocurrencies.
  • Attackers: Unidentified hackers who exploited the code vulnerability.
  • PeckShield and Cyvers: Web3 security firms that detected and reported the hack.
  • Hexagate: A security firm that provided recommendations to prevent such exploits.

Where and When Did It Happen?

  • Date: The attack occurred on a Thursday (specific date not provided).
  • Location: Being a DeFi protocol, the incident took place on the blockchain network where Onyx Protocol operates.

Why and How Did It Happen?

The attackers exploited a precision issue in the forked Compound V2 code, specifically targeting nearly empty markets to manipulate exchange rates. This vulnerability stems from rounding errors in the code, which can be manipulated when the total supply in a market is near zero. By exploiting this flaw, the attackers were able to withdraw more assets than they had deposited.

Key Takeaways

  • Exploited Known Vulnerabilities: The attack leveraged a known precision issue in the Compound V2 code, highlighting the risks of inheriting vulnerabilities when forking code.
  • Significant Financial Loss: Onyx Protocol lost $3.8 million, with major losses in VUSD stablecoin, emphasizing the financial risks associated with DeFi protocols.
  • Repeated Attacks: This is the second major hack on Onyx Protocol in 2023, indicating persistent security issues and lack of adequate preventive measures.
  • Importance of Security Audits: The incident underscores the need for thorough security audits and community oversight in DeFi projects.
  • Broader Implications for DeFi: The hack adds to a series of attacks in the crypto industry, emphasizing the ongoing challenge of securing DeFi protocols against known vulnerabilities.

Deep Analysis

Underlying Vulnerabilities

The Onyx Protocol hack is a stark reminder of the inherent risks in the DeFi ecosystem, particularly when protocols are built on forked code without addressing existing vulnerabilities. The attackers exploited a precision issue—a vulnerability that was already known and had been exploited in previous attacks on other protocols like Hundred Finance and Midas Capital.

Precision Issue in Compound V2 Code
  • Rounding Errors: The vulnerability arises from rounding errors in the code that can be manipulated when the total supply in a market is near zero.
  • Empty Markets: Attackers target nearly empty markets to artificially inflate exchange rates, allowing them to withdraw more assets than they deposited.
Lack of Community Oversight
  • Minimal Governance Participation: Proposal 22, which created the vulnerable PEPE lending market, received minimal community support, with only 11 votes from mostly one address.
  • Ignored Security Recommendations: Security firms advised minting and burning cTokens when launching new markets to ensure the total supply never reaches zero—a recommendation that appears to have been overlooked.

Prevention and Mitigation Strategies

Hexagate, a security firm, recommends the following measures:

  1. Minting and Burning cTokens: When launching new markets, ensure that the total supply never reaches zero to prevent manipulation of exchange rates.
  2. Community Engagement: Increase community participation in governance to enhance oversight and scrutiny of new proposals.
  3. Regular Security Audits: Conduct thorough and regular security audits, especially when forking code from other projects.
  4. Implement Multi-Layer Security Protocols: Use multi-signature wallets and two-factor authentication to add layers of security.

Broader Implications for the DeFi Industry

The attack on Onyx Protocol underscores several critical issues:

  • Risks of Forked Code: Inheriting code without addressing existing vulnerabilities can propagate security flaws across multiple platforms.
  • Need for Enhanced Security Measures: As DeFi grows, so does the sophistication of attacks, necessitating more robust security protocols.
  • Importance of Community Governance: Active community participation is vital for the early detection and prevention of potential vulnerabilities.
  • Challenges with Open-Source Code: While open-source fosters innovation, it also means vulnerabilities are transparent and can be exploited if not adequately addressed.

Did You Know?

  • Open-Source Risks: While open-source code allows for rapid development and innovation, it can also spread vulnerabilities across multiple projects if the original flaws are not fixed.
  • DeFi Hacks in 2023: The Onyx Protocol hack adds to a growing list of DeFi hacks in 2023, with attackers exploiting vulnerabilities in smart contracts to steal millions.
  • Importance of cTokens: cTokens are interest-bearing tokens used in Compound-based protocols. Proper handling of cTokens is crucial to prevent vulnerabilities like the one exploited in the Onyx hack.
  • Community Governance: DeFi protocols often rely on community governance for decision-making. Low participation can lead to unchecked proposals that may introduce security risks.
  • Security Firms' Role: Firms like PeckShield and Cyvers play a critical role in detecting and reporting suspicious activities, helping to mitigate the impact of hacks.

The $3.8 million loss at Onyx Protocol serves as a stark reminder of the critical need for enhanced security protocols and vigilant community oversight in the rapidly evolving DeFi landscape. As the industry continues to mature, prioritizing security and robust governance will be essential in safeguarding assets and maintaining user trust.

You May Also Like

This article is submitted by our user under the News Submission Rules and Guidelines. The cover photo is computer generated art for illustrative purposes only; not indicative of factual content. If you believe this article infringes upon copyright rights, please do not hesitate to report it by sending an email to us. Your vigilance and cooperation are invaluable in helping us maintain a respectful and legally compliant community.

Subscribe to our Newsletter

Get the latest in enterprise business and tech with exclusive peeks at our new offerings