Onyx Protocol Hit Again: $3.8 Million Lost in Exploit

Onyx, a decentralized finance (DeFi) platform, was exploited on Sept. 26, losing nearly $3.8 million. The attack stemmed from a known vulnerability in the Compound Finance v2 codebase and a new issue in an NFT liquidation contract, according to blockchain security firm PeckShield.

This wasn’t the first time Onyx had been targeted. A similar bug in the Compound Finance code was used against the platform in a previous attack in October 2023.

How the Exploit Happened

PeckShield’s report revealed the attacker drained various assets from the protocol, including:

• 4.1 million virtual USD (VUSD)
• 7.35 million Onyxcoin (XCN)
• 0.23 Wrapped Bitcoin (WBTC)
• $5,000 in Dai (DAI)
• $50,000 in Tether (USDT)

The combined value of the stolen assets totaled more than $3.8 million.

It seems today's victim @OnyxDAO (w/ >$3.8m loss) falls prey to a known precision issue in forked CompoundV2 code base. The drained funds include 4.1m VUSD, 7.35m XCN, 5k DAI, 0.23 WBTC, 50k USDT.

The bug is exploited to leverage a nearly empty market to manipulate the exchange… https://t.co/Apddu5aMbD pic.twitter.com/EKKRarFu5X

— PeckShield Inc. (@peckshield) September 26, 2024

The attack leveraged an old bug in Compound Finance v2, a codebase widely used by DeFi protocols, alongside a vulnerability in the NFT liquidation contract, which allowed the hacker to exploit the system further.

Known Issue in Compound Finance

The bug used in this attack isn’t new. It was previously identified in April 2023, when it was exploited in Hundred Finance, another DeFi protocol that also uses the Compound Finance v2 code. The vulnerability becomes an issue in “empty markets,” where there’s no liquidity, often when a new market is launched.

Onyx’s Response

Onyx confirmed the attack in a Sept. 27 post on X (formerly Twitter). They acknowledged the exploit but claimed the main issue wasn’t just the known Compound Finance bug. They pointed to a flawed NFTLiquidation Contract, which allowed the hacker to inflate their self-liquidation rewards due to improper validation of user inputs. This vulnerability allowed the attacker to extract more from the platform.

Onyx Protocol Money Markets Post Mortem 🧵

Onyx Protocol was subject to a security incident where a nefarious actor exploited the protocol to drain VUSD from the protocol.

This exploit can be identified and understood from a vulnerability in the NFT Liquidation contract.

— Onyx (@OnyxDAO) September 26, 2024

Another issue that facilitates the hack is related to the NFTLiquidation contract, which does not properly validate (untrusted) user input and was exploited to inflate the self-liquidation reward amount. pic.twitter.com/tuXLaFQWdk

— PeckShield Inc. (@peckshield) September 26, 2024

PeckShield’s analysis supported Onyx’s statement, stating that the faulty contract was a key contributor to the hack, as it didn’t properly check user inputs, facilitating the exploitation.

Growing Issue of DeFi Exploits

Exploits in decentralized finance are becoming more frequent and costly. On the same day as the Onyx attack, another platform, Bedrock, lost over $2 million due to a bug in its uniBTC contract. Just days earlier, on Sept. 23, the Bankroll Network lost $230,000 when an attacker exploited a flawed “buyFor” function to artificially inflate profits through multiple self-transfers.