Hackers Exploit Old Vulnerability to Breach Onyx for $3.8 Million

On September 26th, the DeFi protocol Onyx suffered an attack, resulting in a loss of $3.8 million. This marks the second breach of the platform this year, both times using the same exploit.

It seems today’s victim @OnyxDAO (w/ >$3.8m loss) falls prey to a known precision issue in forked CompoundV2 code base. The drained funds include 4.1m VUSD, 7.35m XCN, 5k DAI, 0.23 WBTC, 50k USDT.

The bug is exploited to leverage a nearly empty market to manipulate the exchange… https://t.co/Apddu5aMbD pic.twitter.com/EKKRarFu5X

— PeckShield Inc. (@peckshield) September 26, 2024

According to PeckShield, hackers exploited a known flaw in the Compound Finance v2 code and took advantage of a vulnerability in the NFT liquidation contract.

On November 1, 2023, unknown attackers withdrew approximately $2.1 million from Onyx using a similar attack method.

Analysts assert that the Compound Finance v2 flaw can only be exploited in a “nearly empty market” or when liquidity is absent.

The faulty NFT contract allowed the perpetrator to “inflate the self-liquidation reward amount,” as it “did not properly validate user input.”

The Onyx team confirmed the incident, stating that the primary cause of the exploit was the non-fungible token contract.

Onyx Protocol Money Markets Post Mortem ?

Onyx Protocol was subject to a security incident where a nefarious actor exploited the protocol to drain VUSD from the protocol.

This exploit can be identified and understood from a vulnerability in the NFT Liquidation contract.

— Onyx (@OnyxDAO) September 26, 2024

The DAO is initiating a vote on relaunching the protocol and rethinking its governance structure. Developers have proposed launching an open-source financial network, Onyx Core, which will underpin the compromised Onyx Protocol.

“This proposal will close the Ethereum-based lending market and reimburse all affected users in full, at a 1:1 ratio of the assets they provided,” the statement reads.

Previously, hackers stole $2 million from the Bitcoin restaking protocol Bedrock due to a vulnerability in the synthetic token uniBTC.

Earlier, between July and September, cryptocurrency companies faced 34 incidents of hacks and fraud, resulting in losses exceeding $413 million, according to Immunefi.