Hackers exploit Onyx Protocol for $2.1m

Nov 1, 2023 at 3:59 PM UTC

Edited by Brian Stone

News

On Oct. 27, Onyx Protocol, a decentralized peer-to-peer lending platform, experienced a significant security breach, resulting in a loss of approximately $2.1 million due to an exploit in a low-liquidity market.

The incident has raised concerns regarding the vulnerabilities present in decentralized finance (DeFi) platforms, particularly when it involves markets with low liquidity.

The @OnyxProtocol hack leads to ~$2.1M loss by exploiting a known rounding issue behind the popular CompoundV2 fork.

Basically, the exploited oPEPE market was deployed 5 days ago without any liquidity. This empty market was abused with donation to borrow funds from other… https://t.co/ijkXbOyYr2 pic.twitter.com/fbHdZhTz0E
— PeckShield Inc. (@peckshield) November 1, 2023

The attacker targeted a known bug—a rounding issue in the CompoundV2 fork, a popular framework in the DeFi space. This vulnerability went unnoticed by Onyx Protocol until blockchain investigator PeckShield identified and reported the incident.

PeckShield’s independent investigation revealed that the attacker exploited the oPEPE market, which was notably lacking in liquidity, by manipulating donations to borrow funds from other more liquid markets. They subsequently redeemed the borrowed funds through the exploitation of the rounding issue.

https://twitter.com/CertiKAlert/status/1647330607565885441?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1647330607565885441%7Ctwgr%5E7f318d68cc559957a4b68593f4b4b8de52e3629b%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fcointelegraph.com%2Fnews%2Fonyx-protocol-exploiter-siphon-2-1-m-loot-tornado-cash

This is not the first instance of such an exploit; a similar attack was carried out on April 16 against the multichain lending protocol, Hundred Finance, resulting in a loss of $7 million. In the case of Hundred Finance, the attacker manipulated the exchange rate between ERC-20 tokens and hTOKENS, which enabled them to withdraw a larger amount of tokens than they initially deposited.

These recurring instances of cyber exploits highlight the pressing need for enhanced understanding and proficiency in tracking cryptocurrencies to mitigate such risks. The process encompasses transaction tracing, address clustering, behavioral analysis, pattern recognition, regulatory vigilance and collaboration—integral steps to ensure the integrity and security of decentralized finance platforms.