.@OnyxDAO was attacked, resulting in a loss of nearly $4M. The root cause was unverified user input during the liquidation process. Specifically, key parameters of the liquidateWithSingleRepay function in the NFTLiquidation contract were controllable by the attacker, allowing manipulation of the extraRepayAmount variable through the repayAmount parameter. By exploiting this, the attacker was able to liquidate all collateral with just one token.

The key attack steps are summarized as follows:

1. The attacker first deposited oETH and borrowed various assets to reach the liquidation threshold. Simultaneously, they created a new contract that, through a donation attack and precision loss (inherent from the Compound V2 fork), reduced the oETH exchange rate, making the attacker's position eligible for liquidation.

2. The attacker then performed the liquidation. Due to insufficient parameter validation, the attacker manipulated the extraRepayAmount variable, which was added to the calculation of how many tokens needed to be liquidated. This allowed the attacker to obtain more oETH through liquidation, leading to a profit.

Attack Tx: