Onyx protocol is used for the second time with a known error of $3.8m

Decentralized financial (DeFi) protocol Onyx was exploited for $3.8 million on September 26, according to a report from blockchain security platform Peck Shield. The exploit used a known bug in the Compound Finance v2 codebase, and this bug was previously used to exploit Onyx on November 1. Vulnerabilities in NFT liquidity contracts contributed to the exploit, the report said.

In a September 27 X post, the Onyx team claimed that the faulty NFT contract was the cause of the exploit.

According to Peek Shield, 4.1 million virtual dollars (VUSD), 7.35 million Onyxcoin (XCN), 0.23 packs of Bitcoin (WBTC), $5,000 worth of Dai (DAI) stablecoin, and $50,000 worth of Tether (USDT) stablecoin were exported. Protocol, totaling over $3.8 million in losses.

The known vulnerability exists in version 2 of Compound Finance, a codebase used by often forked and decentralized finance protocols. In April 2023, it led to exploitation of percent financing. In November, the vulnerability was first exploited against Onyx.

RELATED: Onyx Protocol Hits $2.1m Hundred Fund Copycat Attack

The gap is only used when there is an “empty market” or a market with no liquidity, which is generally only when a new market opens.

The Onyx team acknowledged the exploit in an X post. “The Onyx protocol was vulnerable to a malicious actor exploiting the protocol to extract VUSD from the protocol,” he said. However, he said that the known defect was not the main cause. “[T]The main issue was the NFLiquidation contract, not the empty market,” he explained in one thread.

Peck Shield agrees that the NFT contract is “.[a]Another issue that facilitated the hack” was that the flawed contract allowed the attacker to “increase the amount of (untrustworthy) rewards because they didn't properly verify the user's input.”

DeFi exploits are a common source of loss for Web3 users. On September 27, liquid staking protocol Bedrock lost more than $2 million due to exposure in its uniBTC contract. On September 23, a banking network was drained of $230,000 when an attacker used a botched “buyFor” function to increase their profits.