The lending DeFi platform Onyx Protocol lost about $2.1 million following an exploit of an illiquid market deployed on October 27.
#PeckShieldAlert @OnyxProtocol has been exploited for ~2.1M pic.twitter.com/5Z50tCg6MD
— PeckShieldAlert (@PeckShieldAlert) November 1, 2023
PeckShield researchers presumably flagged the incident before the protocol team was aware of it.
According to the company’s specialists, the attackers exploited a known rounding issue in the popular Compound v2 fork that underpins Onyx’s architecture.
This bug was used in April by unknown actors to hack Hundred Finance for about $7 million.
PeckShield specialists explained the mechanism of the attack on Onyx:
«Essentially, the exploited oPEPE market was deployed five days ago with no liquidity. The pool was filled with borrowed funds, which were then repaid using the rounding issue».
The @OnyxProtocol hack leads to ~$2.1M loss by exploiting a known rounding issue behind the popular CompoundV2 fork.
Basically, the exploited oPEPE market was deployed 5 days ago without any liquidity. This empty market was abused with donation to borrow funds from other… https://t.co/ijkXbOyYr2 pic.twitter.com/fbHdZhTz0E
— PeckShield Inc. (@peckshield) November 1, 2023
The attackers used instant loans to mobilize resources for the attack and to manipulate exchange rates, according to BlockSec’s spokesperson in a comment to The Block.
On-chain data shows that 750 ETH (~$1.25 million) the Onyx hackers have already sent to the mixing service Tornado Cash. The latter was sanctioned by the U.S. in August 2022.
In October, the damage to the crypto industry from hacks and fraud fell to $51.6 million. This is 85.6% lower than a month earlier, according to Beosin data.