Onyx Protocol Suffers Almost $4M Hack
Onyx Protocol experienced a $3.8 million loss on 26 September, marking another incident in a growing wave of cyber-attacks targeting vulnerabilities in the crypto ecosystem.
.@OnyxDAO was attacked, resulting in a loss of nearly $4M. The root cause was unverified user input during the liquidation process. Specifically, key parameters of the liquidateWithSingleRepay function in the NFTLiquidation contract were controllable by the attacker, allowing⊠pic.twitter.com/lyYIqOzboj
â BlockSec (@BlockSecTeam) September 26, 2024
These attacks underscore the persistent security challenges facing the industry, even as global authorities intensify their scrutiny.
As institutional investment in crypto rises, some analysts warn that the ongoing hacks could weaken market confidence, potentially dampening investor sentiment.
Security Firms Highlight Onyx's Hack
Blockchain security firm PeckShield identified suspicious transactions on OnyxDAO, suggesting a possible attack on the protocol.
Hi @OnyxDAO, you may want to take a look pic.twitter.com/fcU6fHP4jr
â PeckShield Inc. (@peckshield) September 26, 2024
In a follow-up report, PeckShield revealed a total loss of $3.8 million, with the hacker already in the process of exchanging the stolen funds.
Here are the latest whereabouts of the stolen $3.8 million funds from @OnyxDAO pic.twitter.com/NOx9XDXXFY
â PeckShield Inc. (@peckshield) September 26, 2024
Web3 security firm Cyvers confirmed the breach, citing suspicious activity on the Ethereum blockchain, with most of the stolen assets in VUSD stablecoin.
đšALERTđšOur system has detected suspicious transaction involving @OnyxDAO on #ETH chain!
Total loss is around $3.2M. Most of the loss are in $VUSD. Attacker currently holds 521 $ETH $1.36M. Rest of the digital assets are not swapped yet!
More info will follow! Stay tuned!⊠pic.twitter.com/CwGwRgZyNh
â đš Cyvers Alerts đš (@CyversAlerts) September 26, 2024
The incident has been traced to a precision issue in the CompoundV2 code base, allowing the hacker to manipulate exchange rates and drain assets including VUSD, DAI, XCN, USDT, and WBTC.
Specifically, the attacker exploited a nearly empty market to manipulate the exchange rate and siphon 4.1 million VUSD, 7.35 million XCN, 5,000 DAI, 0.23 WBTC, and 50,000 USDT.
It seems today's victim @OnyxDAO (w/ >$3.8m loss) falls prey to a known precision issue in forked CompoundV2 code base. The drained funds include 4.1m VUSD, 7.35m XCN, 5k DAI, 0.23 WBTC, 50k USDT.
The bug is exploited to leverage a nearly empty market to manipulate the exchange⊠https://t.co/Apddu5aMbD pic.twitter.com/EKKRarFu5X
â PeckShield Inc. (@peckshield) September 26, 2024
On X (formerly known as Twitter), Onyx acknowledged the unusual activity and initiated a third-party post-mortem investigation.
Onyx Protocol is aware of unusual activity on our platform and is currently reviewing third party post mortem examination data while conducting our own investigation.
We will announce further details in due course đŁ
â Onyx (@OnyxDAO) September 26, 2024
Then in about seven hours, they released the report.
A full explanation of the exploit can be found here: https://t.co/WLzmwni9h5 (as the primary issue wasnât an empty market but the NFTLiquidation Contract)
XCN Staking and XCN Farming were, once again, unaffected.
â Onyx (@OnyxDAO) September 26, 2024
This attack mirrors a previous incident in October 2023, when hackers used a similar exploit, attributed to a rounding error, to steal $2.1 million.
Both breaches highlight vulnerabilities linked to Onyx Protocol's status as a fork of Compound Finance.
Onyx Protocol's Hack Could Have Been Avoided
In the open-source DeFi space, developers often opt to build on existing code rather than develop new functionality from scratch.
While this approach can enhance efficiency and security when executed properly, it carries risks.
If the base code has vulnerabilities, such as the rounding error seen in the Onyx Protocol hack, those flaws can be inherited by the forked project.
Security firm Halborn reported:
âIn the case of the Onyx protocol, the Compound Finance code that it used had a known vulnerability that had already been exploited in Hundred Finance and Midas Capital, which also forked the Compound Finance code. However, the Onyx Protocol used the same code and lacked the community support and vigilance needed to prevent the vulnerability from being exploited."
This breach, which could have been avoided with proper attention to existing guidance on launching markets within Compound Finance and its forks, highlights a broader issue within DeFi.
Security firm Hexgate guided in April 2023:
âAt Hexagate, we recommend any Compound V2 fork, when launching new markets to mint some cTokens and burn them to make sure the total supply never goes to zero. When the total supply goes to zero, the protocol becomes vulnerable and this strategy mitigates this situation.â
4/
At Hexagate, we recommend any Compound V2 fork, when launching new markets to mint some cTokens and burn them to make sure the total supply never goes to zero. When the total supply goes to zero, the protocol becomes vulnerable and this strategy mitigates this situation.
â Hexagate (@hexagate_) April 23, 2023
The Onyx hack and similar incidents have drawn increased regulatory attention to the crypto market, with authorities aiming to protect user funds from bad actors.
However, regulatory scrutiny, such as the SEC's lawsuits against crypto exchanges, can also hinder innovation.
Recent attacks, including a $4.6 million hack on decentralised infrastructure provider Truflation, further illustrate the ongoing challenge of securing digital assets against sophisticated theft in the crypto industry.
