The Onyx protocol was used for the second time in a known error for $3.8 million

The Onyx Protocol Was Used For The Second Time In A Known Error For $3.8 Million


Decentralized financial (DeFi) protocol Onyx was mined for $3.8 million on September 26. The exploit used a known bug in the Compound Finance v2 codebase – previously used to exploit Onyx in November. .

In a September 27 X post, the Onyx team claimed that the faulty NFT contract was the cause of the exploit.

According to PeckShield, 4.1 million virtual dollars (VUSD), 7.35 million Onyxcoin (XCN), 0.23 bundles of Bitcoin (WBTC), $5,000 worth of Dai (DAI) stablecoin and $50,000 worth of USDt (USDT) stablecoin from the protocol, a total of 3. Over $8 million in losses.

Source: PeckShield

The known vulnerability exists in version 2 of Compound Finance, a codebase used by often forked and decentralized finance protocols. In April 2023, it led to exploitation of percent financing. In October 2023, the vulnerability was first exploited on Onyx.

Tokenmetrics

RELATED: Onyx Protocol Suffers $2.1M Hundred Fund Copycat Attack

The shortfall is only used when there is an “empty market” or a market with no liquidity, which is generally only when a new market opens.

The Onyx team acknowledged the exploit in an X post. “The Onyx protocol was vulnerable to a malicious actor exploiting the protocol to extract VUSD from the protocol,” he said. However, he said that the known defect was not the main cause. “The main issue was not the empty market but the NFTLiquidation Contract,” he said in one thread.

Peck Shield agrees that the NFT contract is “.[a]Another issue that facilitated the hack” was that the flawed contract allowed the attacker to “increase the amount of (untrustworthy) rewards because they didn't properly verify the user's input.”

019233D7 D8F7 7B01 8D5A 97108009666E

Onyx NFT Contract Exposure. Source: PeckShield

DeFi exploits are a common source of loss for Web3 users. On September 27, liquid staking protocol Bedrock lost more than $2 million due to exposure in its uniBTC contract. On September 23, a banking network was drained of $230,000 when an attacker used a botched “buyFor” function to increase their profits.

Pin It on Pinterest