Onyx DeFi Protocol Exploited: $3.8 Million Lost in Latest Hack
On September 26, the decentralized finance (DeFi) protocol Onyx fell victim to an attack, resulting in the theft of $3.8 million in assets. The incident was reported by the blockchain security platform PeckShield. The primary cause of the cyberattack was a known bug in the codebase of Compound Finance version 2, which had previously been exploited to target Onyx vulnerabilities in November of the previous year.
According to the report, the vulnerability existed in the NFT liquidation contract, which also facilitated the attack. The issue lay in the contract’s failure to properly validate user inputs, allowing the attackers to inflate the rewards for self-liquidating assets.
The Onyx team confirmed the exploitation of this vulnerable contract and identified it as the key factor that led to the incident.
PeckShield reported that the attackers withdrew 4.1 million virtual USD (VUSD), 7.35 million Onyxcoin (XCN), 0.23 Wrapped Bitcoin (WBTC), approximately $5,000 in the stablecoin Dai (DAI), and $50,000 in the stablecoin USDt (USDT), with total losses exceeding $3.8 million.
The well-known vulnerability in Compound Finance v2’s codebase has repeatedly been the cause of attacks on various decentralized finance protocols. In April 2023, this same bug affected the Hundred Finance protocol, and in October 2023, it was first used against Onyx.
Exploitation of the vulnerability is possible only in a “dry market” scenario, where market liquidity is absent. This typically occurs when a new market is launched, rendering the Onyx protocol susceptible. However, the protocol team asserts that the primary cause of the incident was the flaw in the NFT liquidation contract.
PeckShield supported this view, noting that the flawed contract was a contributing factor to the attack. The error stemmed from insufficient validation of user input, enabling the attackers to manipulate liquidation rewards.
This incident is not an isolated case within the decentralized finance (DeFi) sector. In September alone, several other projects also suffered due to vulnerabilities. On September 27, the Bedrock protocol lost over $2 million due to a flaw in the uniBTC contract, and on September 23, the Bankroll Network project was deprived of $230,000 following an attack in which the perpetrators exploited a vulnerability in the “buyFor” function to increase their profits.
