Originally published on: September 27, 2024
The decentralized finance (DeFi) protocol Onyx found itself at the mercy of an exploit on September 26, leading to a loss of $3.8 million, as reported by blockchain security platform PeckShield. This exploit took advantage of a known bug present in the Compound Finance v2 codebase, a vulnerability that had previously been used to target Onyx on November 1. The exploit was further aided by a flaw in the non-fungible token (NFT) liquidation contract, contributing to the significant losses suffered.
According to the PeckShield report, the exploit resulted in the draining of 4.1 million virtual USD (VUSD), 7.35 million Onyxcoin (XCN), 0.23 Wrapped Bitcoin (WBTC), $5,000 worth of the Daistablecoin, and $50,000 worth of the USDt stablecoin, totaling to over $3.8 million in losses for the protocol.
The vulnerability present in Compound Finance v2, frequently forked and used by DeFi protocols, was previously exploited against Hundred Finance in April 2023 and later against Onyx for the first time in October 2023. It is only possible to exploit this flaw in an “empty market,” which occurs when there is a lack of liquidity, typically seen when a new market is launched.
The Onyx team acknowledged the exploit in a public post, attributing the root cause to a faulty NFT contract. They asserted that the primary issue did not stem from an empty market but rather from the NFT Liquidation Contract, emphasizing this in a series of communications.
PeckShield also recognized the NFT contract as a contributing factor to the hack, noting that the flawed contract enabled the attacker to manipulate the self-liquidation reward amount by failing to adequately authenticate user input.
DeFi exploits continue to pose risks and result in losses for users of Web3 platforms. Recently, liquid staking protocol Bedrock suffered a loss of over $2 million due to a vulnerability in its uniBTC contract while Bankroll Network faced a loss of $230,000 as a result of an attacker exploiting a faulty function to inflate their profits.
Stay informed about the latest developments in DeFi security to protect your assets in the evolving landscape of decentralized finance.
