Onyx protocol exploited a second time for $3.8M via known bug
Decentralized finance (DeFi) protocol Onyx was exploited for $3.8 million on Sept. 26, according to a report from blockchain security platform PeckShield. The exploit used a known bug in the Compound Finance v2 codebase — one that had already been used to exploit Onyx previously on Nov. 1. A vulnerability in the non-fungible token (NFT) liquidation contract also contributed to the exploit, the report stated.
In a Sept. 27 X post, the Onyx team claimed that the faulty NFT contract was the root cause of the exploit.
According to the PeckShield report, 4.1 million virtual USD (VUSD), 7.35 million Onyxcoin (XCN), 0.23 Wrapped Bitcoin (WBTC), $5,000 worth of the Dai ( DAI ) stablecoin and $50,000 worth of the USDt ( USDT ) stablecoin were drained from the protocol, for a total of over $3.8 million in losses.
Source: PeckShield
The known vulnerability exists in version 2 of Compound Finance, which is a codebase often forked and used by decentralized finance protocols. It led to an exploit against Hundred Finance in April 2023. In
October 2023, the vulnerability was used against Onyx for the first time.
Related: Onyx Protocol suffers $2.1M Hundred Finance copycat attack
The flaw can only be exploited when an “empty market,” or a market with no liquidity, exists, which generally only happens when a new market is launched.
The Onyx team acknowledged the exploit in an X post. “Onyx Protocol was subject to a security incident where a nefarious actor exploited the protocol to drain VUSD from the protocol,” it stated. However, it claimed that the known flaw was not its primary cause. “The primary issue wasn’t an empty market but the NFTLiquidation Contract,” it stated in a thread.
Peck Shield agreed that the NFT contract was “[a]nother issue that facilitates the hack.” The faulty contract allowed the attacker to “inflate the self-liquidation reward amount” because it didn’t “properly validate (untrusted) user input.”
Onyx NFT contract vulnerability. Source: PeckShield
DeFi exploits are a common source of losses for Web3 users. On Sept. 27, liquid staking protocol Bedrock lost over $2 million due to a vulnerability in its uniBTC contract. On Sept. 23, Bankroll Network was drained of $230,000 when an attacker made multiple self-transfers, exploiting a faulty “buyFor” function to inflate their profits.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
Hyperliquid launches native token HYPE
Ethena and Securitize propose USDtb for Spark’s $1b Tokenization Grand Prix
Standard Chartered Analysts Predict Stablecoins Will Represent 10 Percent of US Economy in the Future!
Analysts at Standard Chartered and Zodia Markets predict that stablecoin adoption will see significant growth, potentially representing 10% of US M2 transactions in the future.
Is $100,000 the Limit in the Bitcoin Rally or Will It Continue? Here’s a Clear Opinion for the Top
While the Bitcoin price has reached the $100,000 limit, the questioning of what goes beyond this level has begun. Here are the details.
Trending news
MoreCrypto prices
More
