DeFi protocol 0VIX hacked for $2 million

The attacker siphoned digital assets from the DeFi protocol 0VIX worth more than $2 million, reportedly in an attack using flash loan.

#CertiKSkynetAlert ?

We are currently investigating a #flashloan exploit on 0VIX.

It appears an attacker exploited the protocol via flash loan for ~$2million.

More details to follow pic.twitter.com/XVgb6EZ5oB

— CertiK Alert (@CertiKAlert) April 28, 2023

According to on-chain data, the hacker’s haul consisted of:

• ~1.45 million USD Coin (USDC);
• ~0.58 million Tether (USDT);
• ~9,566 tokens Aavegotchi (GHST).

An unknown transferred assets from the Polygon network to Ethereum via the cross-chain bridge Stargate Finance and converted them to ETH.

The 0VIX team, with few details, confirmed the incident and paused markets on Polygon and zkEVM. The latter were not affected by the attack, and the move was a precaution.

0VIX is working with its security partners to look into the current situation that seems to be related to vGHST.

As a result, POS and zkEVM markets have been paused this includes pausing oToken transfers, minting, and liquidations.

Only POS has been currently affected but zkEVM…

— 0VIX | live on zkEVM (@0vixProtocol) April 28, 2023

According to the developers, the attack vector is linked to GHST.

? The root cause of the exploit is the vulnerable $vGHST Oracle, which allowed the attacker to manipulate the price

— Hacken?? (@hackenclub) April 28, 2023

«The main cause of the exploit was the vulnerable GHST oracle, which allowed the attacker to manipulate the price», Hacken experts confirmed in their findings.

In the wake of the attack the value of assets blocked in 0VIX plummeted from $6.42 million to $1.78 million, according to DeFi Llama.

Back in April, the Merlin decentralised exchange on zkSync lost about $2 million in an attack. The project team said the incident was not caused by an exploit but by fraudulent actions by a group of technical specialists.